I have a pod which emits metrics and it has multiple egresses associated like -
- authentication endpoint (tcp/443)
- dns (udp/53)
- instance metadata (tcp/80)
- other pods (all)
What would be a good practice to define the policies for all of the above -
1 - all egresses in a single NetworkPolicy
Example (Same policy with all egress)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-multiple-points
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
- to:
ports:
- protocol: UDP
port: 53
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 9443
OR
2 - different NetworkPolicy for each of the egress
Example (Different NetPol for each) -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-auth-endpoint
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-dns
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
ports:
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-api-server
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 9443
CodePudding user response:
Would be better to manage all policy in single otherwise you will have to go through tons of similar line.
Also easily would be helpful to mitigate any issue if a similar policy is being added or overwriting happens.
CodePudding user response:
Network policies can be used to specify both allowed ingress to pods and allowed egress from pods. These specifications work as one would expect: traffic to a pod from an external network endpoint outside the cluster is allowed if ingress from that endpoint is allowed to the pod.
Its better to define all the policies in a single network policy.
In the event of an overwriting or the addition of a comparable policy, it is reducing risk of loss from the occurrence of any undesirable events