When configuring some network resources, you should be aware of certain restrictions.

NSX-T Data Center Tagging Limits

NSX-T Data Center has the following limits on tagging an object:

  • The scope has a limit of 128 characters.
  • The tag has a limit of 256 characters.
  • Each object can have a maximum of 30 tags.

These limits might cause issues when Kubernetes or OpenShift annotations are copied to NSX-T Data Center scopes and tags and the limits are exceeded. For example, if a tag is for a switch port and the tag is used in a firewall rule, the rule might not be applied as expected because the annotation key or value was truncated when copied to a scope or tag.

Configuring Network Policies

Network policies select pods or namespaces using label selectors.

NCP's support for network policies is the same as the support provided by Kubernetes and depends on the Kubernetes version.

  • Kubernetes 1.11 - You can specify the following rule selectors:
    • podSelector: This selects all the pods that are in the namespace where the network policy is created.
    • namespaceSelector: This selects all the namespaces.
    • podSelector AND namespaceSelector: This selects all the pods that are in the namespaces selected by namespaceSelector.
    • ipBlockSelector: A network policy is invalid if ipBlockSelector is combined with either namespaceSelector or podSelector. An ipBlockSelector must be present in the policy spec by itself.
  • Kubernetes 1.10 - The rule clauses in the network policy may contain at most one selector from namespaceSelector, podSelector and ipBlock.

The Kubernetes API server does not perform validation of a network policy specification. It is possible to create a network policy that is invalid. NCP will reject such a network policy. If you update the network policy to make it valid, NCP will still not process the network policy. You must delete the network policy and recreate one with a valid specification.