Skip to content

Commit

Permalink
Address some comments
Browse files Browse the repository at this point in the history
Signed-off-by: Wenqi Qiu <[email protected]>
  • Loading branch information
wenqiq committed Feb 14, 2022
1 parent 722c951 commit 8911964
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 15 deletions.
25 changes: 13 additions & 12 deletions docs/antrea-network-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
- [K8s clusters with version 1.21 and above](#k8s-clusters-with-version-121-and-above)
- [K8s clusters with version 1.20 and below](#k8s-clusters-with-version-120-and-below)
- [FQDN based filtering](#fqdn-based-filtering)
- [Node Selector](#node-selector)
- [toServices instruction](#toservices-instruction)
- [RBAC](#rbac)
- [Notes](#notes)
Expand Down Expand Up @@ -524,7 +525,7 @@ Usage of ClusterGroups along with stand-alone selectors is not allowed.

### Behavior of *to* and *from* selectors

There are six kinds of selectors that can be specified in an ingress `from`
There are seven kinds of selectors that can be specified in an ingress `from`
section or egress `to` section:

**podSelector**: This selects particular Pods from all Namespaces as "sources",
Expand All @@ -538,6 +539,10 @@ with `namespaces` field.
specifies both namespaceSelector and podSelector selects particular Pods within
particular Namespaces.

**nodeSelector**: This selects particular Nodes in cluster.
The selected Node's IPs will set as "sources" if `nodeSelector` set in `ingress` section, or as "destinations" if set in
`egress` section.

**namespaces**: A `namespaces` field allows users to perform advanced matching on
Namespace objects which cannot be done via label selectors. Currently, the
`namespaces` field has only one matching strategy, `Self`. If set to `Self`, it indicates
Expand All @@ -559,9 +564,6 @@ since Pod IPs are ephemeral and unpredictable.
select Fully Qualified Domain Names (FQDNs), specified either by exact name or wildcard
expressions, when defining `egress` rules.

**nodeSelector**: This selects certain Node IPs as ingress from address or egress to address.
It is applicable only to the `from` section in an `ingress` block or the `to` section in an `egress` block.

### Key differences from K8s NetworkPolicy

- ClusterNetworkPolicy is at the cluster scope, hence a `podSelector` without
Expand Down Expand Up @@ -1100,9 +1102,11 @@ spec:

## Node Selector

NodeSelector selects certain Nodes which match the label selector. Add Node IPs to address group memberSet.
The following rule applied to Pods with label `app=antrea-test-app` and will `Drop` egress traffic to
Nodes which has labels `kubernetes.io/hostname=kind-control-plane`.
NodeSelector selects certain Nodes which match the label selector. It adds Node IPs to egress rules in `to` field
or ingress rules in `from` filed.
The following rule applies to Pods with label `app=antrea-test-app` and will `Drop` egress traffic to
Nodes which have the labels `node-role.kubernetes.io/control-plane`.

```yaml
apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
Expand All @@ -1118,11 +1122,8 @@ spec:
- action: Drop
to:
- nodeSelector:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- kind-control-plane
matchLabels:
node-role.kubernetes.io/control-plane: ""
ports:
- protocol: TCP
port: 6443
Expand Down
5 changes: 2 additions & 3 deletions pkg/apis/crd/v1alpha1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
package v1alpha1

import (
_ "github.com/golang/mock/mockgen/model"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
Expand Down Expand Up @@ -436,8 +435,8 @@ type NetworkPolicyPeer struct {
// Wildcard expressions, i.e. "*wayfair.com".
FQDN string `json:"fqdn,omitempty"`
// Select certain Nodes which match the label selector,
// if no nodeSelector is specified, then all Nodes will be selected
// in the cluster.
// if no nodeSelector is specified, then no additional Nodes IPs will be added
// in egress/ingress rules.
// +optional
NodeSelector *metav1.LabelSelector `json:"nodeSelector,omitempty"`
}
Expand Down

0 comments on commit 8911964

Please sign in to comment.