Skip to content

fix: change the ports scope in the network policy examples #50994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
matheusmazzoni wants to merge 2 commits into from
Closed

fix: change the ports scope in the network policy examples #50994

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1f7a89d
fix: change the ports scope in the network policy examples
matheusmazzoni May 20, 2025
04869cf
Revert "fix: change the ports scope in the network policy examples" a…
matheusmazzoni May 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions content/en/examples/service/networking/networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,14 @@ spec:
- podSelector:
matchLabels:
role: frontend
ports:
- ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- ports:
Copy link
Member

@rikatz rikatz Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is the case.

Taking a look into the go structure of a network policy: https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/networking/types.go#L118

What it means basically is that you can have multiple egress rules: https://github.com/kubernetes/kubernetes/blob/4e8b192b66cc2a6952b8f1a5067e563c4019c276/pkg/apis/networking/types.go#L79

And each egress rule is composed of two fields that are arrays: to and ports

What you are doing here is actually saying: "I have 2 egress rules, one that allows going to 10.0.0.0/24 and other going to port 5978" and this seems wrong from the desire of the network policy.

Instead, the NetworkPolicy of this example says "allow egress to the CIDR 10.0.0.0/24 on port 5978", that looks like the following egress rule:

to:
  - ipBlock:
       cidr: 10.0.0.0/24
ports:
  - protocol: TCP
    port: 5978

that is different from what you are doing:

# This is one Egress rule
- to:
  - ipBlock:
      cidr: 10.0.0.0/24
# This is another egress rule
- ports:
  - protocol: TCP
    port: 5978

Hope this clarifies, IMO we should not move with this PR :) but thanks for the due diligence on the docs, and keep bringing possible mistakes!

Copy link
Member

@rikatz rikatz Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

btw, I highly recommend using https://editor.networkpolicy.io/ when on doubt of how a Network Policy should look like based on your expectations, it is helpful to assemble some scenarios and understand the differences

- protocol: TCP
port: 5978