You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
= Optimizations for network policy with OpenShift OVN
6
+
= Optimizations for network policy with OVN-Kubernetes network plugin
7
7
8
8
When designing your network policy, refer to the following guidelines:
9
9
10
-
* For network policies with the same `spec.podSelector` spec, it is more efficient to use one network policy with multiple `ingress` or `egress` rules, than multiple network policies with subsets of `ingress` or `egress` rules.
10
+
* For network policies with the same `spec.podSelector` spec, it is more efficient to use one network policy with multiple `ingress` or `egress` rules, than multiple network policies with subsets of `ingress` or `egress` rules.
11
11
12
12
* Every `ingress` or `egress` rule based on the `podSelector` or `namespaceSelector` spec generates the number of OVS flows proportional to `number of pods selected by network policy + number of pods selected by ingress or egress rule`. Therefore, it is preferable to use the `podSelector` or `namespaceSelector` spec that can select as many pods as you need in one rule, instead of creating individual rules for every pod.
13
13
+
@@ -18,18 +18,18 @@ For example, the following policy contains two rules:
18
18
apiVersion: networking.k8s.io/v1
19
19
kind: NetworkPolicy
20
20
metadata:
21
-
name: test-network-policy
21
+
name: test-network-policy
22
22
spec:
23
23
podSelector: {}
24
24
ingress:
25
-
- from:
26
-
- podSelector:
27
-
matchLabels:
28
-
role: frontend
29
-
- from:
30
-
- podSelector:
31
-
matchLabels:
32
-
role: backend
25
+
- from:
26
+
- podSelector:
27
+
matchLabels:
28
+
role: frontend
29
+
- from:
30
+
- podSelector:
31
+
matchLabels:
32
+
role: backend
33
33
----
34
34
+
35
35
The following policy expresses those same two rules as one:
@@ -39,60 +39,66 @@ The following policy expresses those same two rules as one:
39
39
apiVersion: networking.k8s.io/v1
40
40
kind: NetworkPolicy
41
41
metadata:
42
-
name: test-network-policy
42
+
name: test-network-policy
43
43
spec:
44
44
podSelector: {}
45
45
ingress:
46
-
- from:
47
-
- podSelector:
48
-
matchExpressions:
49
-
- {key: role, operator: In, values: [frontend, backend]}
46
+
- from:
47
+
- podSelector:
48
+
matchExpressions:
49
+
- {key: role, operator: In, values: [frontend, backend]}
50
50
----
51
51
+
52
52
The same guideline applies to the `spec.podSelector` spec. If you have the same `ingress` or `egress` rules for different network policies, it might be more efficient to create one network policy with a common `spec.podSelector` spec. For example, the following two policies have different rules:
53
53
+
54
54
[source,yaml]
55
55
----
56
+
apiVersion: networking.k8s.io/v1
57
+
kind: NetworkPolicy
56
58
metadata:
57
-
name: policy1
59
+
name: policy1
58
60
spec:
59
-
podSelector:
60
-
matchLabels:
61
-
role: db
61
+
podSelector:
62
+
matchLabels:
63
+
role: db
62
64
ingress:
63
-
- from:
64
-
- podSelector:
65
-
matchLabels:
66
-
role: frontend
67
-
65
+
- from:
66
+
- podSelector:
67
+
matchLabels:
68
+
role: frontend
69
+
---
70
+
apiVersion: networking.k8s.io/v1
71
+
kind: NetworkPolicy
68
72
metadata:
69
-
name: policy2
73
+
name: policy2
70
74
spec:
71
-
podSelector:
72
-
matchLabels:
73
-
role: client
75
+
podSelector:
76
+
matchLabels:
77
+
role: client
74
78
ingress:
75
-
- from:
76
-
- podSelector:
77
-
matchLabels:
78
-
role: frontend
79
+
- from:
80
+
- podSelector:
81
+
matchLabels:
82
+
role: frontend
79
83
----
80
84
+
81
85
The following network policy expresses those same two rules as one:
82
86
+
83
87
[source,yaml]
84
88
----
89
+
apiVersion: networking.k8s.io/v1
90
+
kind: NetworkPolicy
85
91
metadata:
86
-
name: policy3
92
+
name: policy3
87
93
spec:
88
-
podSelector:
89
-
matchExpressions:
90
-
- {key: role, operator: In, values: [db, client]}
94
+
podSelector:
95
+
matchExpressions:
96
+
- {key: role, operator: In, values: [db, client]}
91
97
ingress:
92
-
- from:
93
-
- podSelector:
94
-
matchLabels:
95
-
role: frontend
98
+
- from:
99
+
- podSelector:
100
+
matchLabels:
101
+
role: frontend
96
102
----
97
103
+
98
104
You can apply this optimization when only multiple selectors are expressed as one. In cases where selectors are based on different labels, it may not be possible to apply this optimization. In those cases, consider applying some new labels for network policy optimization specifically.
0 commit comments