How Do Ingress and Egress Network Policy Rules Work?
Ingress rules control incoming traffic to selected Pods — which sources and ports are allowed. Egress rules control outgoing traffic — which destinations and ports are allowed. Rules use podSelector, namespaceSelector, and ipBlock to define allowed endpoints, combined with port specifications.
Detailed Answer
Understanding the difference between ingress and egress rules — and how selectors combine — is essential for writing correct Network Policies.
Ingress Rules
Ingress rules define which sources can send traffic to the selected Pods:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-ingress
namespace: production
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
ingress:
# Rule 1: Allow from frontend Pods on port 8080
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
# Rule 2: Allow from monitoring namespace on port 9090
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 9090
Traffic is allowed if it matches any of the ingress rules (OR logic between rules).
Egress Rules
Egress rules define which destinations the selected Pods can send traffic to:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-egress
namespace: production
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Egress
egress:
# Allow to database
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432
# Allow to external API
- to:
- ipBlock:
cidr: 203.0.113.0/24
ports:
- protocol: TCP
port: 443
# Allow DNS
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
Critical: AND vs OR Logic
This is the most common source of Network Policy bugs.
OR Logic: Multiple items in from/to array
ingress:
- from:
- podSelector: # Source A
matchLabels:
app: frontend
- namespaceSelector: # OR Source B
matchLabels:
name: monitoring
This allows traffic from frontend Pods OR from the monitoring namespace. Each - item in the from array is ORed.
AND Logic: Multiple selectors in the same item
ingress:
- from:
- podSelector: # AND
matchLabels:
app: frontend
namespaceSelector: # (same item — no leading dash)
matchLabels:
name: production
This allows traffic from Pods labeled app: frontend AND in the production namespace. Both conditions must be true.
The Difference Visualized
OR (two separate items):
from:
- podSelector: {matchLabels: {app: A}} # From app A in ANY namespace
- namespaceSelector: {matchLabels: {n: B}} # From ANY Pod in namespace B
AND (one combined item):
from:
- podSelector: {matchLabels: {app: A}} # From app A
namespaceSelector: {matchLabels: {n: B}} # IN namespace B
Selector Types
podSelector
Select Pods by label in the same namespace:
- podSelector:
matchLabels:
app: frontend
tier: web
namespaceSelector
Select all Pods in namespaces matching labels:
- namespaceSelector:
matchLabels:
environment: production
ipBlock
Select external IP ranges:
- ipBlock:
cidr: 10.0.0.0/8
except:
- 10.0.1.0/24 # Exclude this subnet
Port Ranges
Since Kubernetes 1.25, you can specify port ranges:
ports:
- protocol: TCP
port: 8000
endPort: 8999 # Allow ports 8000-8999
Combined Ingress and Egress Policy
A complete policy for an API service:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-full-policy
namespace: production
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
- podSelector:
matchLabels:
app: mobile-bff
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432
- to:
- podSelector:
matchLabels:
app: cache
ports:
- protocol: TCP
port: 6379
- ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
Empty Selectors
An empty selector has special meaning:
# podSelector: {} means ALL Pods in the namespace
# namespaceSelector: {} means ALL namespaces
ingress:
- from:
- namespaceSelector: {} # Allow from ALL namespaces
This is equivalent to "allow from anywhere in the cluster."
Why Interviewers Ask This
Interviewers ask this to assess whether you can write precise Network Policies that implement least-privilege networking for production workloads.
Common Follow-Up Questions
Key Takeaways
- Ingress rules define allowed incoming traffic; egress rules define allowed outgoing traffic.
- Selectors within the same from/to item use AND logic; multiple from/to items use OR logic.
- Always specify both source/destination and port for precise rules.