多个网络策略规则是否按逻辑处理为"和"规则或"或"?

时间:2018-03-06 04:05:46

标签: kubernetes kubernetes-networkpolicy

在声明网络策略的文档的基本示例中: https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource

所以这根据文档设定了几条规则:

So, the example NetworkPolicy:

- isolates “role=db” pods in the “default” namespace for both ingress
and egress traffic (if they weren’t already isolated)
- allows connections to TCP port 6379 of “role=db” pods in the “default”
namespace from any pod in the “default” namespace with the
label “role=frontend”
- allows connections to TCP port 6379 of “role=db” pods
in the “default” namespace from any pod in a namespace with
the label “project=myproject”
...

这是否意味着" role = db" label可以从以下位置接收连接:

  • 标签为“role = frontend”的其他pod和名称为“project = myproject”的命名空间;或
  • 标签为“role = frontend”的其他pod或带有标签“project = myproject”的OR名称空间。

谢谢!

1 个答案:

答案 0 :(得分:0)

kubernetes network recipe "ALLOW traffic from apps using multiple selectors"很清楚:

  
      
  • spec.ingress.from 中指定的规则为 OR &#39>。
  •   
  • 这意味着选择器选择的pod被合并为白名单。
  •