K
Q

Are multiple network policies rules processed logically as "and" rules or "or"?

3/6/2018

In the basic example of the documentation for declaring a network policy: https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource

So this sets several rules, as per the documentation:

So, the example NetworkPolicy:

- isolates “role=db” pods in the “defaultnamespace for both ingress
and egress traffic (if they werent already isolated)
- allows connections to TCP port 6379 ofrole=dbpods in thedefaultnamespace from any pod in thedefaultnamespace with the
labelrole=frontend- allows connections to TCP port 6379 ofrole=dbpods
in thedefaultnamespace from any pod in a namespace with
the labelproject=myproject...

Does this means that the pods of "role=db" label can receive connections from:

  • other pods with labels “role=frontend” AND namespace with label “project=myproject”; or
  • other pods with labels “role=frontend” OR namespace with label “project=myproject”.

Thanks!

-- testTester
kubernetes
kubernetes-networkpolicy

Similar Questions

Deploying Custom Kubernetes
Reusable Pod Templates
How to automate Let's Encrypt certificate renewal in Kubernetes with cert-manager on a bare-metal cluster?
How can I run a Kubernetes cluster with a single machine as a master and node?

1 Answer

3/6/2018

The kubernetes network recipe "ALLOW traffic from apps using multiple selectors" is clear:

  • Rules specified in spec.ingress.from are OR'ed.
  • This means the pods selected by the selectors are combined are whitelisted altogether.
-- VonC
Source: StackOverflow