htanaka
Mission Specialist
Mission Specialist
  • 695 Views

Question about network policy

Hi I'm learning D0280 and I have question about networkpolicy. In the course, "allow-from-openshift-ingress" rule is defined like this:

piVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress

But OCP 4.6 product document says like this (Using different label to select the namespace):

https://docs.openshift.com/container-platform/4.6/networking/network_policy/multitenant-network-poli...

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          policy-group.network.openshift.io/ingress: ""
  podSelector: {}
  policyTypes:
  - Ingress

I wonder which is correct or both valid ?

Labels (1)
2 Replies
JustinP
Flight Engineer
Flight Engineer
  • 494 Views

Good question.

Without a cluster setup to test that, I can't verify but my gut doesn't like the 2nd example.  Empty quotes as the value of the keypair?!  Maybe if someone wanted to keep the policy around but force the label to match nothing, so the empty string "" ??

k8's netpolicy doc gives 3 examples and all have some keypair with string value: https://kubernetes.io/docs/concepts/services-networking/network-policies/

Is there more context for your class using this snippet?

--
Sr. Solution Architect
Red Hat - NA - ISVs
htanaka
Mission Specialist
Mission Specialist
  • 463 Views

Thank you for your reply. I contacted with redhat learning support and it looks like an error of OCP product documentation.

Join the discussion
You must log in to join this conversation.