Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are multiple network policies rules processed logically as "and" rules or "or"?

Tags:

kubernetes

kubernetes-networkpolicy

In the basic example of the documentation for declaring a network policy: https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource

So this sets several rules, as per the documentation:

So, the example NetworkPolicy:

- isolates “role=db” pods in the “default” namespace for both ingress
and egress traffic (if they weren’t already isolated)
- allows connections to TCP port 6379 of “role=db” pods in the “default”
namespace from any pod in the “default” namespace with the
label “role=frontend”
- allows connections to TCP port 6379 of “role=db” pods
in the “default” namespace from any pod in a namespace with
the label “project=myproject”
...

Does this means that the pods of "role=db" label can receive connections from:

  • other pods with labels “role=frontend” AND namespace with label “project=myproject”; or
  • other pods with labels “role=frontend” OR namespace with label “project=myproject”.

Thanks!

like image 686
testTester Avatar asked Mar 06 '18 04:03

testTester

People also ask

What rule can be defined for a network policy?

Network policies can be viewed as rules. Each rule has a set of conditions and settings. NPS compares the conditions of the rule to the properties of connection requests. If a match occurs between the rule and the connection request, the settings defined in the rule are applied to the connection.

Are Kubernetes network policies stateful?

NetworkPolicy is stateful and will allow an established connection to communicate both ways.

What is network policy in Kubernetes?

If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), NetworkPolicies allow you to specify rules for traffic flow within your cluster, and also between Pods and the outside world. Your cluster must use a network plugin that supports NetworkPolicy enforcement.

Does canal support network policy?

Canal. If you want to use Flannel for networking but you need to define some network policies, yo can do it with Canal. The Canal means you're using Calico for policy and flannel for networking. For more details check Project Calico documentation.

1 Answers

The kubernetes network recipe "ALLOW traffic from apps using multiple selectors" is clear:

  • Rules specified in spec.ingress.from are OR'ed.
  • This means the pods selected by the selectors are combined are whitelisted altogether.
like image 158
VonC Avatar answered Nov 14 '22 16:11

VonC
Sign in to Comment

Related questions

kubernetes nginx ingress with proxy protocol ended up with broken header
Using kubernetes init containers on a private repo
Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring
Unable to enter a kubernetes pod. Error from server: error dialing backend: dial tcp: lookup (node hostname) on 168.63.129.16:53: no such host
Is there an include directive for Kubernetes yaml resource definitions?
Kubernetes Persistent Volume and hostpath
Kubernetes's http liveness probe failed when pod under heavy load
JVM initial CPU spike in a Docker container
How to set environment variable in container from Kubernetes?
Kubernetes DNS intermittently failing with kube-dns service and CoreDNS pods seeming OK
How can I have replicated pods with an init container that is run only once?
Elastic search kubernetes Sudden rise in data disk usage
How to use the kubernetes-client for executing "kubectl apply"
Staging and Production on Kubernetes
Why is Internal memory in java Native Memory Tracking increasing
Running socket.io in Google Container Engine with multiple pods fails
Login attempts to Nexus OSS Docker repo throwing 404
Kubernetes, can't reach other node services
Kubernetes pod still in "ContainerCreating" status
Installing Helm chart locally: “Error: gzip: invalid header”

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!