cipid2001_linux
Mission Specialist
Mission Specialist
  • 599 Views

Ch4- Network Policy - "podSelector" is optional ?

Jump to solution

Hi, 

   When I tried to create network policy, just to test by myself, I forgot to add "podSelector" key inside the yaml. The network policy "product-ingress-policy" has been created successfully. (#oc create -f product-ingresspolicy.yaml

   What I don't understand in documentation is specified the podselector is "required" and it is not optional to be missed. As per my understanding, at least you should have an entry: "podSelector: {}".          Why Openshift didn't return any error at yaml creation ? Did I miss something ?   

cipid2001_linux_0-1706451407123.png

cipid2001_linux_1-1706451525362.png

cipid2001_linux_2-1706451853532.png

Thank you.

1 Solution

Accepted Solutions
ricardo_jun
Moderator
Moderator
  • 445 Views

@Chetan_Tiwary_ 

So, the issue here is, even though the field is mandatory, the API will automatically identify the lack of the podSelector field and automatically add it as empty. 

The best way to confirm this behavior @cipid2001_linux is checking the network policy stored on OCP/K8s by executing the following command after applying the definition provided.

oc get networkpolicy product-ingress-policy -o yaml

Despite the fact you didn't provide a podSelector field, it will be added by the API endpoint as an empty podSelector.

Hope that clarifies the behavior.

View solution in original post

4 Replies
Chetan_Tiwary_
Moderator
Moderator
  • 480 Views

Hello @cipid2001_linux !

As far as I know - podSelector is not optional and is evident from official documentation and the course lecture :

Chetan_Tiwary__0-1708031906077.png

Chetan_Tiwary__2-1708032365648.png

 

Chetan_Tiwary__1-1708031935757.png

I guess as long as the yaml syntax is correct and there is no another configuration error with other fields - it wont give any error and will still create a resource with 'oc create -f'   that may not work ( without correct policy ingredients ).

@Travis thoughts ?

 

0 Kudos
Travis
Moderator
Moderator
  • 455 Views

@Chetan_Tiwary_ -

I'm not 100% sure, but what I'm imagining that is happening is that since it was left out, the "Empty" pod selector is created. Based on the candidate screenshots above, it shows pod selector as none or empty.

So the default functionality here is that if it is "empty" than all pods in the namespace will have it applied. Since you aren't including a pod selector, nothing is being filtered out, therefore everything gets selected and the policy gets applied to everything.

I'm currently out so I won't be able to check, but I'm fairly sure that is the case here in that since it is a "required" option and it wasn't specified, it was assumed to be default to "empty" which is also perfectly valid and therefore it allowed the policy to be created and applied to everything. I'm tagging @ricardo_jun as I know he does a lot more with these courses and he is actually in the office this week and next.

 

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
ricardo_jun
Moderator
Moderator
  • 446 Views

@Chetan_Tiwary_ 

So, the issue here is, even though the field is mandatory, the API will automatically identify the lack of the podSelector field and automatically add it as empty. 

The best way to confirm this behavior @cipid2001_linux is checking the network policy stored on OCP/K8s by executing the following command after applying the definition provided.

oc get networkpolicy product-ingress-policy -o yaml

Despite the fact you didn't provide a podSelector field, it will be added by the API endpoint as an empty podSelector.

Hope that clarifies the behavior.

Chetan_Tiwary_
Moderator
Moderator
  • 433 Views

thanks much @ricardo_jun @Travis for the clarification !

0 Kudos
Join the discussion
You must log in to join this conversation.