Clarification is needed as to what the empty NetworkPolicyIngressRule means?

I'm referring to the statement in ALLOW all traffic to an application that the empty ingress rule ({}) corresponds to:

- from:
  - podSelector: {}
    namespaceSelector: {}

My interpretation of the spec is that the empty ingress rule allows traffic from all sources, including all ips.

The rule has two fields, from and ports, but the documentation for both of those fields says:

If this field is empty or missing, this rule matches all [sources or ports]

If it matches all sources, then my interpretation is that it matches all ipBlocks as well as all pods in all namespaces.

Furthermore, because the sources are OR'd, only including one source in the corresponding form above is different from an empty rule, which includes all sources, right?

Can you explain how the corresponding form (above) is equivalent to an empty ingress rule?

Documentation:

List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.

Originally posted by @boredabdel in #62 (comment)

I hope my explanation in this PR clarifies things out #83

I will close this one. Please open a new PR or Issue so we can keep the discussion consistent in one place :)

@joebowbeer Did you ever find the answer to this?

@SHxKM Not a definitive answer.

@boredabdel By my reading of the documentation, the empty ingress rule is actually equivalent to the form:

- from:
  - ipBlock:
      cidr: 0.0.0.0/0
  - podSelector: {}
    namespaceSelector: {}

Sources in the context of Network Policies means. IP's, Labels and Ports.

When we says all sources we mean all IP's and Labels and all Ports.

The policy you highlighted above will evaluate based on IP blocks and ignore Labels.

I'm not sure what is still not clear ?

I'm referring to the statement in ALLOW all traffic to an application that the empty ingress rule ({}) corresponds to:

- from:
  - podSelector: {}
    namespaceSelector: {}

I don't think these are equivalent.

A from field supports 3 subfields:

• ipBlock
• namespaceSelector
• podSelector

And a ports section

When ipBlock, namespaceSelector and podSelector are listed with a dash (-) they are interpreted as AND. When they are listed under the same dash they are interpreted as OR.

Technically the statement should be an empty Ingress {} corresponds to:

- from:
  - podSelector: {}
    ipBlock: {}
    namespaceSelector: {}

But since you would never use ipBlock and podSelector in the same policy (you either select source pods by label or you select your source by IP. Than omitting ipBlock is fine.

I hope this makes sense now ?

The text is still not fixed. @joebowbeer is absolutely right.

  ingress:
  - {}

... does not correspond to

  ingress:
  - from:
    - podSelector: {}
      namespaceSelector: {}

But the text literally says:

Empty ingress rule ({}) allows traffic from all pods in the current namespace, as well as other namespaces. It corresponds to:

This is wrong.

It actually "corresponds" to:

  ingress:
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0

@boredabdel You are probably assuming that traffic always originates from inside this cluster. In this case, both rules would be effectively equivalent. But actually traffic can originate from outside the cluster as well. In this case, there is a big difference between the two rules.