Incorrect type for 'ports' field in "Network Policies" page examples

[WisePorterCloud]

I'am checking some samples about NetworkPolicy object and it seems to be bug in ports. According Kubernetes API reference it is array but in all samples published in https://kubernetes.io/docs/concepts/services-networking/network-policies/ there is ports as NetworkPolicyPort.

Example that it does not work properly (but without error during creation):

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np
  namespace: space1
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: space2
      ports:
        - protocol: TCP
          port: 53
        - protocol: UDP
          port: 53

Example that it works as expected:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np
  namespace: space1
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: space2
    - ports:
      - protocol: TCP
        port: 53
      - protocol: UDP
        port: 53

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dipesh-rawat]

Page reported in issue: https://kubernetes.io/docs/concepts/services-networking/network-policies
/language en

[dipesh-rawat]

/sig network

[dipesh-rawat]

/retitle Incorrect type for 'ports' field in "Network Policies" page examples

[adityasamant25]

Hi,
This is not a bug. It is as designed.
The hyphen has a significance.
Absence of the hyphen before ports signifies an AND condition between the to and ports rules.
Presence of the hyphen before ports signifies an OR condition between the to and ports rules.

Your first example translates to:
Allows all pods in namespace space1 to connect to all pods in namespaces with labels kubernetes.io/metadata.name: space2 on ports TCP 53 and UDP 53

Whereas the second example translates to:

Allows all pods in namespace space1 to connect to all pods in namespaces with labels kubernetes.io/metadata.name: space2 on all ports
** OR **
Allows all pods in namespace space1 to connect to all namespaces, pods and IP addresses on ports TCP 53 and UDP 53

Both are valid network policy definitions.
You need to configure the network policy based on the behaviour you need.

The below tool is handy if you want to translate the meaning of a network policy in a readable form.
https://orca.tufin.io/netpol/

[WisePorterCloud]

Hi, thank you so much for your explanation. It makes sense. Please can you reference me to the section in documentation where this is explained? I tried to find it out but without success.

Anyway we can close this ticket.

[adityasamant25]

I'm not aware if the exact example you mentioned in this issue is documented.

There is a similar (not identical) scenario documented here:
https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors

[dipesh-rawat]

Looks like the issue doesn't require any changes; the current documentation stands correct.

Anyway we can close this ticket.

Closing this issue in recognition of the issue reporter's indication to close it.

/close

[k8s-ci-robot]

@dipesh-rawat: Closing this issue.

In response to this:

Looks like the issue doesn't require any changes; the current documentation stands correct.

Anyway we can close this ticket.

Closing this issue in recognition of the issue reporter's indication to close it.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.