In kubernetes network policy we can set Ingress value as blank array i.e. [] or we can also set value as - {}
What is the difference between using these 2 values?
First YAML that I tried - It didn't work
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internal-policy
spec:
podSelector:
matchLabels:
name: internal
policyTypes: ["Ingress","Egress"]
ingress: []
egress:
- to:
- podSelector:
matchLabels:
name: mysql
ports:
- protocol: TCP
port: 3306Second YAML that was answer in katacoda scenario
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internal-policy
namespace: default
spec:
podSelector:
matchLabels:
name: internal
policyTypes:
- Egress
- Ingress
ingress:
- {}
egress:
- to:
- podSelector:
matchLabels:
name: mysql
ports:
- protocol: TCP
port: 3306In both cases you have specified Policy Types: Ingress and Egress
ingress: []this rule (is empty) and deny all ingress traffic, (the same result if ingress rule are not present in the spec).
You can verify this by running:
kubectl describe networkpolicy internal-policy
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity) ingress:
- {}
this rule allow all ingress traffic:
kubectl describe networkpolicy internal-policy
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From: <any> (traffic not restricted by source)As per documentation: Network Policies
Ingress rules: Each NetworkPolicy may include a list of whitelist ingress rules. Each rule allows traffic which matches both the from and ports sections.
Hope this help.