htanaka
Mission Specialist
Mission Specialist
  • 601 Views

Question about network policy

Hi I'm learning D0280 and I have question about networkpolicy. In the course, "allow-from-openshift-ingress" rule is defined like this:

piVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress

But OCP 4.6 product document says like this (Using different label to select the namespace):

https://docs.openshift.com/container-platform/4.6/networking/network_policy/multitenant-network-poli...

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          policy-group.network.openshift.io/ingress: ""
  podSelector: {}
  policyTypes:
  - Ingress

I wonder which is correct or both valid ?

Labels (1)
2 Replies
JustinP
Flight Engineer
Flight Engineer
  • 400 Views

Re: Question about network policy

Good question.

Without a cluster setup to test that, I can't verify but my gut doesn't like the 2nd example.  Empty quotes as the value of the keypair?!  Maybe if someone wanted to keep the policy around but force the label to match nothing, so the empty string "" ??

k8's netpolicy doc gives 3 examples and all have some keypair with string value: https://kubernetes.io/docs/concepts/services-networking/network-policies/

Is there more context for your class using this snippet?

--
Sr. Solution Architect
Red Hat - NA - ISVs
Reply
Loading...
htanaka
Mission Specialist
Mission Specialist
  • 369 Views

Re: Question about network policy

Thank you for your reply. I contacted with redhat learning support and it looks like an error of OCP product documentation.

Reply
Loading...
Join the discussion
You must log in to join this conversation.