'Kubernetes networkpolicy multiple match labels
We have a default deny-all-egress policy for all pods and we have an egress-internet policy like below
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-external-egress-internet
spec:
podSelector:
matchLabels:
egress: internet
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Now, if I try to add multiple labels under spec/podselector/matchlabels everything breaks. Is there a way for this network policy to get implemented on pods with label egress: internet OR foo:bar.
A pod with just foo:bar as label should be allowed but it's not working that way.
Solution 1:[1]
Thats tricky because matchLabels does not take multiple key&value pairs and matchExpressions will be ANDed.
There are two possible ways (workarounds):
Create another networkpolicy (along with existingone) where
matchLabelscontainsfoo:bar.[or]
add a new label(common) to both the workloads and use that in
podSelector
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | confused genius |