Document CIDR blocks

[ahmetb]

[de1m]

The Network Policy below allow access to all, exept internal networks (192.168.0.0/16 and 172.23.40.0/24)

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-external
  namespace: dmz
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 192.168.0.0/16
        - 172.23.42.0/24
    - namespaceSelector:
        matchLabels:
          name: dmz

[rhuss]

Can namespaceSelector and ipBlock really be combined ? According to https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#networkpolicypeer-v1-networking-k8s-io

ipBlock -- IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

[ahmetb]

I don't think anyone claimed they can be combined.

[boredabdel]

@rhuss that documentation refers to NetworkPolicyPeer. The example above is NetworkPolicy

[rhuss]

@boredabdel NetworkPolicyPeer is a subtype that is used for the to: and from: field for egress and ingress rules, respectively (so it's the type of the to: field in this example). The documentation refers precisely to this example.

@ahmetb aren't both used at the same time in the example in https://github.com/ahmetb/kubernetes-network-policy-recipes/issues/6#issuecomment-404137084 ? 🤔 (my comment above was actually referring to this example here)

[ahmetb]

No, they're separate independent "to" targets in an array that's additive?

[rhuss]

gotcha. sorry for the noise.