Mayur Sharma:
Hi team,
I have one more doubt where I think the video lecture is not in sync with kubernetes documentation for Network Policy. Timeline: 5:30 (I could be wrong, please correct me)
In " 104. Develop network policies" video, it is mentioned that if only podSelector is defined under ingress:from element, then the connection is allowed from all the pods from all the namespaces.
I found this statement contradictory with the documentation of network policy, quoting it here,
“podSelector: This selects particular Pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.”
Source - https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource
I tried the above doubt with following scenario,
- created the nginx pod in default namespace and expose its pod at 80 with label role: app
- Then I created the busybox container in other namespace with label access: app and try to connect to service nginx.default (Success)
- Then I created the netpol, with below content
- Then I again when I repeated #2, it FAILED (success if I access it from same namespace)
{code}
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: app
policyTypes:
- Ingress
ingress: - from:
- podSelector:
matchLabels:
access: app
{code}
Please correct me if I understood anything wrongly.
- podSelector:
Thanks!