I have a pod which emits metrics and it has multiple egresses associated like -
- authentication endpoint (tcp/443)
- dns (udp/53)
- instance metadata (tcp/80)
- other pods (all)
What would be a good practice to define the policies for all of the above -
1 - all egresses in a single NetworkPolicy
Example (Same policy with all egress)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-multiple-points
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
- to:
ports:
- protocol: UDP
port: 53
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 9443
OR
2 - different NetworkPolicy for each of the egress
Example (Different NetPol for each) -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-auth-endpoint
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-dns
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
ports:
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metrics-emitter-egress-to-api-server
spec:
podSelector:
matchLabels:
name: metrics-emitter
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 9443
Would be better to manage all policy in single otherwise you will have to go through tons of similar line.
Also easily would be helpful to mitigate any issue if a similar policy is being added or overwriting happens.