多个网络策略规则在逻辑上是作为 "and" 规则还是 "or" 处理的?
Are multiple network policies rules processed logically as "and" rules or "or"?
在用于声明网络策略的文档的基本示例中:
https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource
因此,根据文档,这设置了几个规则:
So, the example NetworkPolicy:
- isolates “role=db” pods in the “default” namespace for both ingress
and egress traffic (if they weren’t already isolated)
- allows connections to TCP port 6379 of “role=db” pods in the “default”
namespace from any pod in the “default” namespace with the
label “role=frontend”
- allows connections to TCP port 6379 of “role=db” pods
in the “default” namespace from any pod in a namespace with
the label “project=myproject”
...
这是否意味着 "role=db" 标签的 pods 可以接收来自以下的连接:
- other pods 标签为“role=frontend”,命名空间标签为“project=myproject”;或
- 其他 pods 带有标签“role=frontend”或带有标签“project=myproject”的命名空间。
谢谢!
kubernetes network recipe "ALLOW traffic from apps using multiple selectors"明确:
- Rules specified in
spec.ingress.from
are OR'ed.
- This means the pods selected by the selectors are combined are whitelisted altogether.
在用于声明网络策略的文档的基本示例中: https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource
因此,根据文档,这设置了几个规则:
So, the example NetworkPolicy:
- isolates “role=db” pods in the “default” namespace for both ingress
and egress traffic (if they weren’t already isolated)
- allows connections to TCP port 6379 of “role=db” pods in the “default”
namespace from any pod in the “default” namespace with the
label “role=frontend”
- allows connections to TCP port 6379 of “role=db” pods
in the “default” namespace from any pod in a namespace with
the label “project=myproject”
...
这是否意味着 "role=db" 标签的 pods 可以接收来自以下的连接:
- other pods 标签为“role=frontend”,命名空间标签为“project=myproject”;或
- 其他 pods 带有标签“role=frontend”或带有标签“project=myproject”的命名空间。
谢谢!
kubernetes network recipe "ALLOW traffic from apps using multiple selectors"明确:
- Rules specified in
spec.ingress.from
are OR'ed.- This means the pods selected by the selectors are combined are whitelisted altogether.