Update the Network Policies Page #49390
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
language/en
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
cc @natalisucks and @4rivappa |
|
The reporter of #45615 talks about "making simpler for developers and students to quickly pick up an example and use it". I think that while they specifically reference this example, that's just because this is one of the only examples in the document. But adding another clause to this example obscures the point that the example is currently trying to make ("be careful of hyphens when using combined namespace-and-pod-selector rules"). I think what #45615 really wants is just more examples in this file in general. |
|
Thanks for the feedback, @danwinship. #45615 specifically said we should add the below.
This PR adds the behavior of the "to" behavior. Line 53 says there is a If you can take a second look again, I'll appreciate it. However, if you insist that this is still the wrong PR for this issue, I can close it. |
There was a problem hiding this comment.
I am worried about people making assumptions, such as that both ingress and egress are required, or that ingress rules always use from and egress rules always use to.
What can we change to make the concept easier to learn? (We could add a tutorial, but that is a lot of work).
I know that https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-egress-traffic makes it clear why to is optional, but: we don't want people to have to read the page several times to understand it.
content/en/docs/concepts/services-networking/network-policies.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/services-networking/network-policies.md
Outdated
Show resolved
Hide resolved
|
About the tutorial @sftim, if you or @danwinship can specify exactly what we should include in it, it’ll be easier to work on. What I have noticed in this network policy page is that, it doesn’t explicitly state that “{}” acts as a wildcard to indicate no restrictions. |
network-charles
force-pushed
the
network-charles-patch-4
branch
from
f423ff1 to
c984636
Compare
k8s-ci-robot
added
size/S
That's true though. (If we had implemented ingress and egress at the same time we probably would have used something generic like |
|
About assumptions; here's a NetworkPolicy that uses neither ---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress |
|
I think I explained it badly before! |
|
A nice first policy to show might be one that allows all egress but restricts ingress; that's a very common story to tell. |
That's a nice suggestion, @sftim. I believe you mean this. apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-restrict-ingress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
- Ingress
egress:
- {}
ingress: [] # Removing this line also worksI can include it at Line 267. |
even better, IMO, is that you either:
|
|
I think I will drop the namespace entirely. The other examples don't have them. |
network-charles
force-pushed
the
network-charles-patch-4
branch
from
c984636 to
187a7df
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/M
|
Let me also know what you think about Lines 213 - 225 on the network policies docs page. |
Description
This PR improves the understanding of the
toandfromselectors in a network policy. It adds an egress example when describing a namespaceSelector and podSelector. The previous explanation only included an ingress example.Issue
Closes: #45615