What is the difference between ingress value as blank array and value - {}?

7/10/2019

In kubernetes network policy we can set Ingress value as blank array i.e. [] or we can also set value as - {}

What is the difference between using these 2 values?

First YAML that I tried - It didn't work

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: internal-policy
spec:
  podSelector:
    matchLabels:
      name: internal
  policyTypes: ["Ingress","Egress"]
  ingress: []
  egress:
  - to:
    - podSelector:
        matchLabels:
          name: mysql
    ports:
    - protocol: TCP
      port: 3306

Second YAML that was answer in katacoda scenario

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: internal-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      name: internal
  policyTypes:
  - Egress
  - Ingress
  ingress:
    - {}
  egress:
  - to:
    - podSelector:
        matchLabels:
          name: mysql
    ports:
    - protocol: TCP
      port: 3306
-- V.S.
katacoda
kubernetes
kubernetes-ingress
nginx-ingress
traefik-ingress

1 Answer

7/11/2019

In both cases you have specified Policy Types: Ingress and Egress

  1. In the first example:
     ingress: []

this rule (is empty) and deny all ingress traffic, (the same result if ingress rule are not present in the spec).

You can verify this by running:

kubectl describe networkpolicy internal-policy 

Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  1. In the second example:
     ingress:
        - {}

this rule allow all ingress traffic:

kubectl describe networkpolicy internal-policy 

 Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From: <any> (traffic not restricted by source)

As per documentation: Network Policies

Ingress rules: Each NetworkPolicy may include a list of whitelist ingress rules. Each rule allows traffic which matches both the from and ports sections.

Hope this help.

-- Hanx
Source: StackOverflow