I have a pod which emits metrics and it has multiple egresses associated like -
- authentication endpoint (tcp/443)
- dns (udp/53)
- instance metadata (tcp/80)
- other pods (all)
What would be a good practice to define the policies for all of the above -
1 - all egresses in a single NetworkPolicy
Example (Same policy with all egress)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-multiple-points
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
- to:
ports:
- protocol: UDP
port: 53
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 9443
OR
2 - different NetworkPolicy for each of the egress
Example (Different NetPol for each) -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-auth-endpoint
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-dns
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
ports:
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-api-server
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 9443
