Question about network policy

htanaka · ‎12-12-2021

Hi I'm learning D0280 and I have question about networkpolicy. In the course, "allow-from-openshift-ingress" rule is defined like this:

piVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress

But OCP 4.6 product document says like this (Using different label to select the namespace):

https://docs.openshift.com/container-platform/4.6/networking/network_policy/multitenant-network-poli...

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          policy-group.network.openshift.io/ingress: ""
  podSelector: {}
  policyTypes:
  - Ingress

I wonder which is correct or both valid ?

JustinP · ‎01-22-2022

Good question.

Without a cluster setup to test that, I can't verify but my gut doesn't like the 2nd example. Empty quotes as the value of the keypair?! Maybe if someone wanted to keep the policy around but force the label to match nothing, so the empty string "" ??

k8's netpolicy doc gives 3 examples and all have some keypair with string value: https://kubernetes.io/docs/concepts/services-networking/network-policies/

Is there more context for your class using this snippet?

--
Sr. Solution Architect

htanaka · ‎01-24-2022

Thank you for your reply. I contacted with redhat learning support and it looks like an error of OCP product documentation.

Question about network policy

OpenShift