update network-policy by adding egress and ipBlock usage

kubernetes · Sep 23, 2017 · 503f9ef · 503f9ef
1 parent ed5d92d
commit 503f9ef
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/docs/concepts/services-networking/network-policies.md b/docs/concepts/services-networking/network-policies.md
@@ -41,6 +41,10 @@ spec:
       role: db
   ingress:
   - from:
+    - ipBlock:
+        cidr: 172.17.0.0/16
+        except:
+        - 172.17.1.0/24
     - namespaceSelector:
         matchLabels:
           project: myproject
@@ -62,6 +66,11 @@ __podSelector__: Each `NetworkPolicy` includes a `podSelector` which selects the
 
 __ingress__: Each `NetworkPolicy` includes a list of whitelist `ingress` rules.  Each rule allows traffic which matches both the `from` and `ports` sections. The example policy contains a single rule, which matches traffic on a single port, from either of two sources, the first specified via a `namespaceSelector` and the second specified via a `podSelector`.
 
+__ipBlock__: `ipBlock` describes a particular CIDR that is allowed to
+the pods matched by a NetworkPolicySpec's podSelector. The `except` entry
+is a slice of CIDRs that should not be included within an IP Block. Except
+values will be rejected if they are outside the CIDR range.
+
 So, the example NetworkPolicy:
 
 1. isolates "role=db" pods in the "default" namespace (if they weren't already isolated)