From 7277714c8f5059e8331ce73b8a056a371091547e Mon Sep 17 00:00:00 2001 From: Nills Franssens Date: Tue, 5 Jan 2021 09:14:10 -0800 Subject: [PATCH] Add clarity about egress/ingress combination In reference to https://github.com/kubernetes/kubernetes/issues/97489 Add clarity in the documentation about the case of having an egress and ingress policy where one is blocking and the other is allowing. --- .../en/docs/concepts/services-networking/network-policies.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/en/docs/concepts/services-networking/network-policies.md b/content/en/docs/concepts/services-networking/network-policies.md index 7d417e4df1..2000d838b4 100644 --- a/content/en/docs/concepts/services-networking/network-policies.md +++ b/content/en/docs/concepts/services-networking/network-policies.md @@ -35,6 +35,8 @@ Pods become isolated by having a NetworkPolicy that selects them. Once there is Network policies do not conflict; they are additive. If any policy or policies select a pod, the pod is restricted to what is allowed by the union of those policies' ingress/egress rules. Thus, order of evaluation does not affect the policy result. +For a network flow between two pods to be allowed, both the egress policy on the source pod and the ingress policy on the destination pod need to allow the traffic. If either the egress policy on the source, or the ingress policy on the destination denies the traffic, the traffic will be denied. + ## The NetworkPolicy resource {#networkpolicy-resource} See the [NetworkPolicy](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#networkpolicy-v1-networking-k8s-io) reference for a full definition of the resource.