This content originally appeared on DEV Community and was authored by Cheedge Lee
Check following two networkpolicy yaml file, np1.yaml and np2.yaml:
# np1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np
namespace: space1
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: space2
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# np2.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np
namespace: space1
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: space2
- ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
Looks similar, but a tiny typo here caused some different results.
If we check carefully will find that in the np2.yaml, it gives two separated restrictions on egress:
- allows traffic to all pods in the namespace
space2without specifying any ports. - allows traffic to any destination on ports 53 (TCP and UDP) -- DNS traffic.
The "-" indicates separate rules in YAML. In the np1.yaml, the two rules are logically OR: Traffic matches if it satisfies either the first rule (namespace match) or the second rule (ports match).
While in the np2.yaml, the to and ports are part of a single rule, which requires traffic to satisfy both constraints (namespace match and port match), literally it's an AND relationship.
In Summary, in np1.yaml it has two rules: egress.to and egress.ports; in np2.yaml there only one rule: egress.to, but under to field, there is a egress.to.ports field.
This content originally appeared on DEV Community and was authored by Cheedge Lee
Cheedge Lee | Sciencx (2025-01-10T22:40:48+00:00) Typo caused difference in NetworkPolicy yaml file. Retrieved from https://www.scien.cx/2025/01/10/typo-caused-difference-in-networkpolicy-yaml-file/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.