invalid ipBlock section in example network policy

[imschuler]

This is a Bug Report

Problem:
In the example network policy :

service/networking/networkpolicy.yaml

on

https://kubernetes.io/docs/concepts/services-networking/network-policies/

there is an invalid ipBlock

ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend

If you run the command

kubectl explain netpol.spec.ingress.from

you can read

ipBlock
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.

Proposed Solution:

remove the ipBlock from the exampple

Page to Update:
https://kubernetes.io/docs/concepts/services-networking/network-policies/

Strange enough no error message is generated when applying the network policy using kubectl .

ipBlock is simply ignored .

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lmktfy]

Strange enough no error message is generated when applying the network policy using kubectl .

I think that's because the policy excerpt is actually valid. Can you outline why you think it isn't?

/priority awaiting-more-evidence

[imschuler]

Because 'kubectl explain' tells us that it is invalid to use podSelector or nameSpaceSelector together with ipBlock.

In fact, ipBlock is simply ignored when podSelector and namespaceSelector are specified.

Here is an example ( except is ignored ):

k get netpol test-network-policy -o yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
..
name: test-network-policy
namespace: default
..
spec:
ingress:

• from:
  • ipBlock:
    cidr: 10.0.0.0/8
    except:
    • 10.42.0.0/16
  • namespaceSelector:
    matchLabels:
    kubernetes.io/metadata.name: default
  • podSelector: {}
    podSelector: {}
    policyTypes:
• Ingress

k get po -o wide

NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 1/1 Running 0 4m44s 10.42.1.2 node2
nginx2 1/1 Running 0 99s 10.42.3.2 node4

k exec nginx2 -- curl 10.42.1.2

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 615 100 615 0 0 104k 0 --:--:-- --:--:-- --:--:-- 120k

<title>Welcome to nginx!</title> <style> ...