cancel
Showing results for 
Search instead for 
Did you mean: 
AlanAguinaga2
Mission Specialist
Mission Specialist
  • 488 Views

DO280 v4.12 - I cannot understand this policy

Jump to solution

At lab 10.2 they solved a network policy creation using this label selection. 

It has this spec: "

  • Must accept traffic only from within the same workshop or from the ingress controller.


I did not got it. policy-group.network.openshift.io/ingress: "" . it is a label of :

oc get namespaces --show-labels | grep ingress or oc describe namespace openshift-host-network -n default

I got some labels there. 

Documentation said I need to use another label to do that:
https://docs.openshift.com/container-platform/4.12/networking/network_policy/about-network-policy.ht... 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingress   <-------------------------------------------
podSelector: {}
policyTypes:
- Ingress

 

It is very confuse to me because if I need to create this rule doing exam I can't understand why do I need to use label policy-group.network.openshift.io/ingress: "" instead network.openshift.io/policy-group: ingress

Both labels are there at namespace openshift-host-network. 

Do I need to select a label "policy-something" to apply a network policy? 

 
Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Jcalvod
Flight Engineer
Flight Engineer
  • 458 Views

That is the same question that i had days ago, one colleague have answered me saying that really that two labels makes the same behavior but because of only policy-group.network.openshift.io/ingress="" will be valid in the future we have to use that:

Jcalvod_0-1716841981831.png

 

View solution in original post

2 Replies
AlanAguinaga2
Mission Specialist
Mission Specialist
  • 487 Views

this is the answer. this forum is complaining about formatation, sorry about that

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: workshop
namespace: template-test
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
workshop: template-test
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: ""

Jcalvod
Flight Engineer
Flight Engineer
  • 459 Views

That is the same question that i had days ago, one colleague have answered me saying that really that two labels makes the same behavior but because of only policy-group.network.openshift.io/ingress="" will be valid in the future we have to use that:

Jcalvod_0-1716841981831.png

 

Join the discussion
You must log in to join this conversation.