|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * networking/network_policy/about-network-policy.adoc |
| 4 | + |
| 5 | +[id="nw-networkpolicy-optimize-ovn_{context}"] |
| 6 | += Optimizations for network policy with OpenShift OVN |
| 7 | + |
| 8 | +When designing your network policy, refer to the following guidelines: |
| 9 | + |
| 10 | +* For network policies with the same `spec.podSelector` spec, it is more efficient to use one network policy with multiple `ingress` or `egress` rules, than multiple network policies with subsets of `ingress` or `egress` rules. |
| 11 | + |
| 12 | +* Every `ingress` or `egress` rule based on the `podSelector` or `namespaceSelector` spec generates the number of OVS flows proportional to `number of pods selected by network policy + number of pods selected by ingress or egress rule`. Therefore, it is preferable to use the `podSelector` or `namespaceSelector` spec that can select as many pods as you need in one rule, instead of creating individual rules for every pod. |
| 13 | ++ |
| 14 | +For example, the following policy contains two rules: |
| 15 | ++ |
| 16 | +[source,yaml] |
| 17 | +---- |
| 18 | +apiVersion: networking.k8s.io/v1 |
| 19 | +kind: NetworkPolicy |
| 20 | +metadata: |
| 21 | + name: test-network-policy |
| 22 | +spec: |
| 23 | + podSelector: {} |
| 24 | + ingress: |
| 25 | + - from: |
| 26 | + - podSelector: |
| 27 | + matchLabels: |
| 28 | + role: frontend |
| 29 | + - from: |
| 30 | + - podSelector: |
| 31 | + matchLabels: |
| 32 | + role: backend |
| 33 | +---- |
| 34 | ++ |
| 35 | +The following policy expresses those same two rules as one: |
| 36 | ++ |
| 37 | +[source,yaml] |
| 38 | +---- |
| 39 | +apiVersion: networking.k8s.io/v1 |
| 40 | +kind: NetworkPolicy |
| 41 | +metadata: |
| 42 | + name: test-network-policy |
| 43 | +spec: |
| 44 | + podSelector: {} |
| 45 | + ingress: |
| 46 | + - from: |
| 47 | + - podSelector: |
| 48 | + matchExpressions: |
| 49 | + - {key: role, operator: In, values: [frontend, backend]} |
| 50 | +---- |
| 51 | ++ |
| 52 | +The same guideline applies to the `spec.podSelector` spec. If you have the same `ingress` or `egress` rules for different network policies, it might be more efficient to create one network policy with a common `spec.podSelector` spec. For example, the following two policies have different rules: |
| 53 | ++ |
| 54 | +[source,yaml] |
| 55 | +---- |
| 56 | +metadata: |
| 57 | + name: policy1 |
| 58 | +spec: |
| 59 | + podSelector: |
| 60 | + matchLabels: |
| 61 | + role: db |
| 62 | + ingress: |
| 63 | + - from: |
| 64 | + - podSelector: |
| 65 | + matchLabels: |
| 66 | + role: frontend |
| 67 | +
|
| 68 | +metadata: |
| 69 | + name: policy2 |
| 70 | +spec: |
| 71 | + podSelector: |
| 72 | + matchLabels: |
| 73 | + role: client |
| 74 | + ingress: |
| 75 | + - from: |
| 76 | + - podSelector: |
| 77 | + matchLabels: |
| 78 | + role: frontend |
| 79 | +---- |
| 80 | ++ |
| 81 | +The following network policy expresses those same two rules as one: |
| 82 | ++ |
| 83 | +[source,yaml] |
| 84 | +---- |
| 85 | +metadata: |
| 86 | + name: policy3 |
| 87 | +spec: |
| 88 | + podSelector: |
| 89 | + matchExpressions: |
| 90 | + - {key: role, operator: In, values: [db, client]} |
| 91 | + ingress: |
| 92 | + - from: |
| 93 | + - podSelector: |
| 94 | + matchLabels: |
| 95 | + role: frontend |
| 96 | +---- |
| 97 | ++ |
| 98 | +You can apply this optimization when only multiple selectors are expressed as one. In cases where selectors are based on different labels, it may not be possible to apply this optimization. In those cases, consider applying some new labels for network policy optimization specifically. |
0 commit comments