Suppose I have 2 network policies, for nodes matching labels "app=database". Suppose:
Even though this is a simple example, how does kubernetes decides which rule wins? In more complex scenarios with several overlapping rules maybe covering similar pods, how would this be managed? E.g.: can we define priorities in Network policies?
Thanks.
Actually that depends on how your network policy plugin implements it. Currently there's also no way for us to define priorities. If you indeed have conflicting rule, then you made a mistake. You should try to apply policies without conflicting rules.
Kubernetes network policies right now does not allow deny policies. There are only allow policies. You basically put together all the allowed policies for the pod to get the allowed connections.
When there are one or more network policies on a pod, then all the connections allowed by at least one of the network policies, will be allowed.
So how does the default deny works. It just tells that the allowed connections are none.
A more detailed explanation is available here.