Check following two networkpolicy yaml file, np1.yaml and np2.yaml:
# np1.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: np namespace: space1 spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: space2 ports: - port: 53 protocol: UDP - port: 53 protocol: TCP # np2.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: np namespace: space1 spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: space2 - ports: - port: 53 protocol: TCP - port: 53 protocol: UDP Looks similar, but a tiny typo here caused some different results.
If we check carefully will find that in the np2.yaml, it gives two separated restrictions on egress:
- allows traffic to all pods in the namespace
space2without specifying any ports. - allows traffic to any destination on ports 53 (TCP and UDP) -- DNS traffic.
The "-" indicates separate rules in YAML. In the np1.yaml, the two rules are logically OR: Traffic matches if it satisfies either the first rule (namespace match) or the second rule (ports match).
While in the np2.yaml, the to and ports are part of a single rule, which requires traffic to satisfy both constraints (namespace match and port match), literally it's an AND relationship.
In Summary, in np1.yaml it has two rules: egress.to and egress.ports; in np2.yaml there only one rule: egress.to, but under to field, there is a egress.to.ports field.
Top comments (0)