Edmund Kueh:
Hi, For network policy, is there any difference between {} and [] ?
kind: NetworkPolicy
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
metadata:
name: web-allow-all
namespace: default
spec:
podSelector:
matchLabels:
app: web
ingress:
- {}
ns680:
[] denies everything and {} allows everything. Not sure if it is very intuitive but it is what it is. I found this link shared by a member here very useful to understand network policies: https://github.com/ahmetb/kubernetes-network-policy-recipes
Edmund Kueh:
@ns680 Thanks for sharing…I do find the YAML file provided in the tutorial slightly different than the official documentation…For ie there is no key -from: or -to: under the ingress and egress block…For ie, if I have 2 egress rules, can I write my YAML file as following with 2 -to keys. egress:
- to:
- namespaceSelector:
matchLabels:
namespace: project-snake
- podSelector:
matchLabels:
app: db1
ports:
- protocol: TCP
port: 1111
- to:
- namespaceSelector:
matchLabels:
namespace: project-snake
- podSelector:
matchLabels:
app: db2
ports:
- protocol: TCP
port: 2222
ns680:
Yes, the above YAML snippet is a valid egress specification. It will open below egress traffic:
Allowing egress traffic:
To Port: 1111/TCP
To:
NamespaceSelector: namespace=project-snake
To:
PodSelector: app=db1
----------
To Port: 2222/TCP
To:
NamespaceSelector: namespace=project-snake
To:
PodSelector: app=db2
It does not do anything to ingress if policyTypes is only Egress , but it will stop all ingress if policyTypes are both Ingress and Egress. Hope it helps