Learn how to define a rule in a network policy.
- IP range (allow and exclude)
- label selector (pods and namespaces)
- port and protocol
You can define multiple criteria of a given type in a single rule, and use these criteria in combination with each other. The location criteria (IP range and label selector) that you define are specific to the template that you are using. For the custom-ingress template, you identify sources from which to allow traffic; and for the custom-egress template, you identify destinations to which to allow traffic.
If you do not specify any location criteria, the policy does not restrict traffic by location. All sources or destinations are allowed. Likewise, if you do not specify any ports, all ports are allowed.
IP Range Criteria
Within a rule, you can click IP Block to define location criteria based on IP range (expressed in CIDR notation).
When you specify a range for allowed IP addresses, traffic is permitted on all IP addresses in that range. You can also optionally exclude a range of IP addresses within the allowed range.
If you specify multiple IP ranges for a given location, the location must match any one of the criteria. For example, if you define three allowed IP ranges, traffic is allowed to (or from) locations within any one of the three ranges.
Label Selector Criteria
Within a rule, you can click Selector to define location criteria based on label selectors for pods and namespaces.
If you specify multiple label selectors for a given type, the location must match any one of the criteria to allow traffic. For example, if you define three pod selectors, traffic is allowed to (or from) pods that have a label matching any one of the three selectors.
If you specify a location using both the pod selector and the namespace selector in a single location definition, then both must be satisfied.
The port and protocol fields allow you to specify a port on which to allow traffic, and the protocol that the traffic must use. You can specify multiple ports, and each one must have a corresponding protocol. The port can be either a numerical or named port.
If you specify multiple ports, the channel must match any one of the criteria to allow traffic. For example, if you define three ports, traffic is allowed through any one of the three ports.
When you define a rule with multiple criteria, network traffic is not permitted unless it satisfies at least one location criteria and at least one port criteria.
- Pod Selector =
this:thatand Namespace Selector =
- Allow IP Range =
- Port =
1232and Protocol =
TCPprotocol AND it comes from either one of the following locations:
- an IP address in the
- a pod with a
this:thatlabel in a namespace with a