Network policy question

carlos140 · July 29, 2024, 7:50pm

Hi

Since I almost in the end of the k8s network policy course, I want to know if when you put {} in a variable always mean all pods, and when you put [] it means nothing.

Long story short:

PodSelector:
  matchLables:
    name: {} // Does this mean all pods ?

PodSelector:
  matchLables:
    name: [] // Does this mean nobody ?

But does this apply also to ingress and egress like this right ?

policyTypes:
  - Ingress
  - Egress
ingress: {} // All pods could send traffic with success ?
egress: [] // the selected pod for the netpol can't  send traffic to anyone ?

does the brackets also could mean the same in other contexts of the network policy or other yaml files in k8s ?

rob_kodekloud · July 29, 2024, 8:03pm

No. The matchLabels examples are simply syntax errors – those fields are strings, and {} and [] are the empty object and empty list respectively; they are not legal in a string field.

The ingress and egress fields are both lists of object, so ingress: {} is a syntax error, and egress: [] is an empty list of object.

carlos140 · July 29, 2024, 10:54pm

Hi @rob_kodekloud thanks for the reply.

but if I’m not wrong in this case:

podSelector: {} // means all pods ?

and

podSelector: [] // means nothing or empty list ?

So in network policies to deny income and outcome traffic to all pods I just need to do:

policyType:
   - Ingress
   - Egress
ingress:
egress:

rob_kodekloud · July 29, 2024, 10:59pm

Slots in YAML are marshalled into Golang data structures, which are very strictly typed. So only the first is correct – podSelector is an object, and the empty object is {}. [] is an empty array, and will cause a syntax error.

But for podSelector as used in a network policy, the empty object does indeed indicate “any pod”.

carlos140 · July 30, 2024, 12:11am

Thank you very much @rob_kodekloud for your answer. So for the Ingress and Egress if I make this:

policyType:
  - Ingress
  - Egress

This is the only way to be able to deny any incoming and outgoing traffic ? I guess k8s by default allow every communication possible, but there is a way to put it in the yaml file ?

Also I understand Go very well because I got background in C programming, but I haven’t used the particular libraries for golang yet. but if you have some resources to understand well what are you saying about it, I’ll appreciate that so much. I want to understand the parser process behind the yaml well.

once again, many thanks

rob_kodekloud · July 30, 2024, 12:48am

That would indeed prevent traffic for any pod covered by podSelector for the netpol resource.

As for Go – the piece to understand is how structs are typed and marshalled/unmarshalled in code. Just about anything that K8s handles can be described as a Go struct, and if you read the source, you’ll see the K8s resources descibed as structs. So when you use the wrong type in YAML, the error you’ll see will describe a mismatch with some field in some struct. Also, there will be annotations on the structs that will match the names of the YAML fields. This is also why go-style templates appear in all kinds of places in the API – they’re native to the backend.

carlos140 · August 4, 2024, 6:56pm

Thank you very much @rob_kodekloud for your reply. Now I get it well

have a nice day!