Check following two networkpolicy yaml file, np1.yaml and np2.yaml:
# np1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np
namespace: space1
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: space2
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# np2.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: np
namespace: space1
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: space2
- ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
Looks similar, but a tiny typo here caused some different results.
If we check carefully will find that in the np2.yaml, it gives two separated restrictions on egress:
- allows traffic to all pods in the namespace
space2without specifying any ports. - allows traffic to any destination on ports 53 (TCP and UDP) — DNS traffic.
The “-” indicates separate rules in YAML. In the np1.yaml, the two rules are logically OR: Traffic matches if it satisfies either the first rule (namespace match) or the second rule (ports match).
While in the np2.yaml, the to and ports are part of a single rule, which requires traffic to satisfy both constraints (namespace match and port match), literally it’s an AND relationship.
In Summary, in np1.yaml it has two rules: egress.to and egress.ports; in np2.yaml there only one rule: egress.to, but under to field, there is a egress.to.ports field.