Rules in Network Policies

Learn how to define a rule in a network policy.

Some of the network policy recipes allow you to provide a rule that uses a set of criteria to identify the target locations with which to permit or restrict communication, and the port on which they can communicate. The criteria used in these rules can include the following types:

IP range (allow and exclude)
label selector (pods and namespaces)
port and protocol

You can define multiple criteria of a given type in a single rule, and use these criteria in combination with each other. The location criteria (IP range and label selector) that you define are specific to the template that you are using. For the custom-ingress template, you identify sources from which to allow traffic; and for the custom-egress template, you identify destinations to which to allow traffic.

If you do not specify any location criteria, the policy does not restrict traffic by location. All sources or destinations are allowed. Likewise, if you do not specify any ports, all ports are allowed.

IP Range Criteria

Within a rule, you can click IP Block to define location criteria based on IP range (expressed in CIDR notation).

When you specify a range for allowed IP addresses, traffic is permitted on all IP addresses in that range. You can also optionally exclude a range of IP addresses within the allowed range.

If you specify multiple IP ranges for a given location, the location must match any one of the criteria. For example, if you define three allowed IP ranges, traffic is allowed to (or from) locations within any one of the three ranges.

Label Selector Criteria

Within a rule, you can click Selector to define location criteria based on label selectors for pods and namespaces.

If you specify multiple label selectors for a given type, the location must match any one of the criteria to allow traffic. For example, if you define three pod selectors, traffic is allowed to (or from) pods that have a label matching any one of the three selectors.

Note: The label selector for network policies in Tanzu Mission Control matches only the labels that you have applied to resources through Tanzu Mission Control. Labels that are created outside of Tanzu Mission Control are not evaluated.

If you specify a location using both the pod selector and the namespace selector in a single location definition, then both must be satisfied.

Port Criteria

The port and protocol fields allow you to specify a port on which to allow traffic, and the protocol that the traffic must use. You can specify multiple ports, and each one must have a corresponding protocol. The port can be either a numerical or named port.

If you specify multiple ports, the channel must match any one of the criteria to allow traffic. For example, if you define three ports, traffic is allowed through any one of the three ports.

Rule Enforcement

When you define a rule with multiple criteria, network traffic is not permitted unless it satisfies at least one location criteria and at least one port criteria.

For example, say you create a custom-ingress policy with a rule that contains the following criteria.

Pod Selector = this:that and Namespace Selector = release:production
Allow IP Range = 192.168.1.1/16
Port = 1232 and Protocol = TCP

When you apply this policy, ingress traffic is not allowed unless it comes in on port 1232 using the TCP protocol AND it comes from either one of the following locations:

an IP address in the 192.168.1.1/16 range
a pod with a this:that label in a namespace with a release:production label