Hi all,
I gone through the official documentation of Calico policy and I have come across the below table. When both Ingress and Egress rule is set as “NO” why the value taken as “Ingress”?
Can anyone please explain the logic behind this.
| Ingress rule present? | Egress rule present? | Value |
|---|---|---|
| No | No | Ingress |
| Yes | No | Ingress |
| No | Yes | Egress |
| Yes | Yes | Ingress, Egress |
The intent here is to match kubernetes network policy behaviour.
For example, the “enable isolation” policy in the kubernetes basic policy demo: Kubernetes policy, basic tutorial is:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: policy-demo
spec:
podSelector:
matchLabels: {}
EOF
And the effect of that is to block all ingress traffic to all pods in the policy-demo namespace.
It would be confusing if a similar Calico network policy didn’t result in the same behaviour.