From 9a2b37a01d0264a4cb1d43ffa0a1f18a2ac71c3a Mon Sep 17 00:00:00 2001 From: JoeAldinger Date: Wed, 30 Apr 2025 11:52:44 -0400 Subject: [PATCH] OSDOCS-14395:adds note about legacy behavior for nil selector in netpol --- modules/nw-networkpolicy-about.adoc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/nw-networkpolicy-about.adoc b/modules/nw-networkpolicy-about.adoc index b6d5bd2fc0..3c0324959b 100644 --- a/modules/nw-networkpolicy-about.adoc +++ b/modules/nw-networkpolicy-about.adoc @@ -10,13 +10,16 @@ By default, all pods in a project are accessible from other pods and network end If a pod is matched by selectors in one or more `NetworkPolicy` objects, then the pod will accept only connections that are allowed by at least one of those `NetworkPolicy` objects. A pod that is not selected by any `NetworkPolicy` objects is fully accessible. -A network policy applies to only the TCP, UDP, ICMP, and SCTP protocols. Other protocols are not affected. + +A network policy applies to only the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and Stream Control Transmission Protocol (SCTP) protocols. Other protocols are not affected. [WARNING] ==== -Network policy does not apply to the host network namespace. Pods with host networking enabled are unaffected by network policy rules. However, pods connecting to the host-networked pods might be affected by the network policy rules. +* A network policy does not apply to the host network namespace. Pods with host networking enabled are unaffected by network policy rules. However, pods connecting to the host-networked pods might be affected by the network policy rules. -Network policies cannot block traffic from localhost or from their resident nodes. +* Using the `namespaceSelector` field without the `podSelector` field set to `{}` will not include `hostNetwork` pods. You must use the `podSelector` set to `{}` with the `namespaceSelector` field in order to target `hostNetwork` pods when creating network policies. + +* Network policies cannot block traffic from localhost or from their resident nodes. ==== The following example `NetworkPolicy` objects demonstrate supporting different scenarios: