Network policy with negation rules (NOT)

Hello team,

I am looking for a solution to problem where i need to create and apply a network policy to a pod which allows traffic from everywhere all other namespaces, IPs and pod labels except a specific (nonfriendly ) pod.

I do see there is except attribute support in ipBlock under spec.ingress but not from podSelector or nameSelector but this will not be a generic solution if pod IP changes.

I tried with something like below but it was not working:

ingress:
- from:
- podSelector:
matchExpressions:
- key: “run”
operator: NotIn
values: [“nonfriendly”]

Can someone suggest if you have came across similar issue and how it was resolved.

Regards,
Neearj

anyone has faced similar problem?

I believe the best approach for this is to build a default deny rule and create whitelist rules for every pod except for the “non-friendly” pod.

Thanks Vijin, Technically it is possible (in fact the only solution which one can think of) but not leads to an effective operational management. There should be an elegant and batter way. I always thought matchexpressions should work but couldnt test successfully.