Solved: Re: Ch4- Network Policy - "podSelector" is optiona...

cipid2001_linux · ‎01-28-2024

Hi,

When I tried to create network policy, just to test by myself, I forgot to add "podSelector" key inside the yaml. The network policy "product-ingress-policy" has been created successfully. (#oc create -f product-ingresspolicy.yaml)

What I don't understand in documentation is specified the podselector is "required" and it is not optional to be missed. As per my understanding, at least you should have an entry: "podSelector: {}". Why Openshift didn't return any error at yaml creation ? Did I miss something ?

Thank you.

ricardo_jun · ‎02-16-2024

@Chetan_Tiwary_

So, the issue here is, even though the field is mandatory, the API will automatically identify the lack of the podSelector field and automatically add it as empty.

The best way to confirm this behavior @cipid2001_linux is checking the network policy stored on OCP/K8s by executing the following command after applying the definition provided.

oc get networkpolicy product-ingress-policy -o yaml

Despite the fact you didn't provide a podSelector field, it will be added by the API endpoint as an empty podSelector.

Hope that clarifies the behavior.

View solution in original post

Chetan_Tiwary_ · ‎02-15-2024

Hello @cipid2001_linux !

As far as I know - podSelector is not optional and is evident from official documentation and the course lecture :

I guess as long as the yaml syntax is correct and there is no another configuration error with other fields - it wont give any error and will still create a resource with 'oc create -f' that may not work ( without correct policy ingredients ).

@Travis thoughts ?

Travis · ‎02-16-2024

@Chetan_Tiwary_ -

I'm not 100% sure, but what I'm imagining that is happening is that since it was left out, the "Empty" pod selector is created. Based on the candidate screenshots above, it shows pod selector as none or empty.

So the default functionality here is that if it is "empty" than all pods in the namespace will have it applied. Since you aren't including a pod selector, nothing is being filtered out, therefore everything gets selected and the policy gets applied to everything.

I'm currently out so I won't be able to check, but I'm fairly sure that is the case here in that since it is a "required" option and it wasn't specified, it was assumed to be default to "empty" which is also perfectly valid and therefore it allowed the policy to be created and applied to everything. I'm tagging @ricardo_jun as I know he does a lot more with these courses and he is actually in the office this week and next.

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training

ricardo_jun · ‎02-16-2024