Update NetworkPolicy concept guide with egress and CIDR changes

caseydavenport · caseydavenport · commit 09362728dfd3 · 2017-09-18T18:05:30.000-07:00
diff --git a/docs/concepts/services-networking/network-policies.md b/docs/concepts/services-networking/network-policies.md
@@ -39,6 +39,9 @@ spec:
   podSelector:
     matchLabels:
       role: db
+  policyTypes:
+  - Ingress
+  - Egress
   ingress:
   - from:
     - namespaceSelector:
@@ -50,6 +53,13 @@ spec:
     ports:
     - protocol: TCP
       port: 6379
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 10.0.0.0/24
+    ports:
+    - protocol: TCP
+      port: 5978
 ```
 
 *POSTing this to the API server will have no effect unless your chosen networking solution supports network policy.*
@@ -60,7 +70,11 @@ __spec__: `NetworkPolicy` [spec](https://git.k8s.io/community/contributors/devel
 
 __podSelector__: Each `NetworkPolicy` includes a `podSelector` which selects the grouping of pods to which the policy applies. Since `NetworkPolicy` currently only supports defining `ingress` rules, this `podSelector` essentially defines the "destination pods" for the policy. The example policy selects pods with the label "role=db". An empty `podSelector` selects all pods in the namespace.
 
-__ingress__: Each `NetworkPolicy` includes a list of whitelist `ingress` rules.  Each rule allows traffic which matches both the `from` and `ports` sections. The example policy contains a single rule, which matches traffic on a single port, from either of two sources, the first specified via a `namespaceSelector` and the second specified via a `podSelector`.
+__policyTypes__: Each `NetworkPolicy` includes a `policyTypes` list which may include either `Ingress`, `Egress`, or both. The `policyTypes` field indicates whether or not the given policy applies to ingress traffic to selected pod, egress traffic from selected pods, or both.
+
+__ingress__: Each `NetworkPolicy` may include a list of whitelist `ingress` rules.  Each rule allows traffic which matches both the `from` and `ports` sections. The example policy contains a single rule, which matches traffic on a single port, from either of two sources, the first specified via a `namespaceSelector` and the second specified via a `podSelector`.
+
+__egress__: Each `NetworkPolicy` may include a list of whitelist `egress` rules.  Each rule allows traffic which matches both the `to` and `ports` sections. The example policy contains a single rule, which matches traffic on a single port to any destination in `10.0.0.0/24`.
 
 So, the example NetworkPolicy:
 
@@ -72,7 +86,12 @@ See the [NetworkPolicy getting started guide](/docs/getting-started-guides/netwo
 
 ## Default policies
 
-You can create a "default" isolation policy for a Namespace by creating a NetworkPolicy that selects all pods but does not allow any traffic:
+By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that Namespace. The following examples let you change the default behavior
+for a given namespace.
+
+### Default deny all ingress traffic
+
+You can create a "default" isolation policy for a Namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic:
 
 ```yaml
 apiVersion: networking.k8s.io/v1
@@ -81,11 +100,16 @@ metadata:
   name: default-deny
 spec:
   podSelector:
+  policyTypes:
+  - Ingress
 ```
 
-This ensures that even pods that aren't selected by any other NetworkPolicy will still be isolated.
+This ensures that even pods that aren't selected by any other NetworkPolicy will still be isolated. This policy does not change
+the default egress isolation behavior.
 
-Alternatively, if you want to allow all traffic for all pods in a Namespace (even if policies are added that cause some pods to be treated as "isolated"), you can create a policy that explicitly allows all traffic:
+### Default allow all ingress traffic
+
+If you want to allow all traffic for all pods in a Namespace (even if policies are added that cause some pods to be treated as "isolated"), you can create a policy that explicitly allows all traffic:
 
 ```yaml
 apiVersion: networking.k8s.io/v1
@@ -98,6 +122,42 @@ spec:
   - {}
 ```
 
+### Default deny all egress traffic.
+
+You can create a "default" egress isolation policy for a Namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+spec:
+  podSelector:
+  policyTypes:
+  - Egress
+```
+
+This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed egress traffic. This policy does not
+change the default ingress isolation behavior.
+
+### Default deny all ingress and all egress traffic
+
+You can create a "default" policy for a Namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+spec:
+  podSelector:
+  policyTypes:
+  - Ingress
+  - Egress
+```
+
+This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.
+
 ## What's next?
 
 - See the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/)
