Are network policies applied to service or endpoints?

4/4/2019

If I have Kubernetes service (cluster IP with port 12345) with three pods behind it as endpoints (port 16789) in a namespace, what should be whitelisted in network policy, just the service port or the endpoint port or DNS port? Network policy can only take pod/namespace labels as selectors, not service labels. It is not clear from the documentation. Trying to access the service from a different namespace. The environment uses Calico as CNI.

-- Hem
cni
kubernetes
project-calico

1 Answer

4/5/2019

The network policies are on the pods network interfaces. You can have pod without service and want to add network policy.

So you have to allow port 16789.

-- Darkjeff
Source: StackOverflow