Update network-policies.md

[sdarwin]

Add explanation of policy evaluation order from kubernetes/kubernetes#75435

[k8s-ci-robot]

Welcome @sdarwin!

It looks like this is your first PR to kubernetes/website 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/website has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[netlify]

Deploy preview for kubernetes-io-master-staging ready!

Built with commit a02f9b9

https://deploy-preview-17335--kubernetes-io-master-staging.netlify.com

[bradtopol]

/cc @cmluciano

[bradtopol]

/assign

[bradtopol]

Hi @cmluciano can you serve as a technical reviewer for this? Just add a /lgtm when you feel it is technically correct and I'll take care of the rest. Thanks!

[thockin]

really nit: "If any policy selects a pod"

[sdarwin]

just in this context, "If policies select a pod" could be worded "If multiple policies select a pod" , since it's about explaining that situation, of multiple policies/rules, rather than the case of a single policy.

[thockin]

The point is that AS SOON as *one* policy selects a pod, rules apply. Whether that is one, two, or 10 additive policies.

…

On Fri, Nov 1, 2019 at 8:39 AM Sam Darwin ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In content/en/docs/concepts/services-networking/network-policies.md <#17335 (comment)>: > @@ -28,6 +28,8 @@ By default, pods are non-isolated; they accept traffic from any source. Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. (Other pods in the namespace that are not selected by any NetworkPolicy will continue to accept all traffic.) +Network policies do not conflict, they are additive. If policies select a pod, the pod is restricted to what is allowed by the union of those policies' ingress/egress rules. Thus, order of evaluation does not affect the policy result. just in this context, "If policies select a pod" could almost be worded "If multiple policies select a pod" , since it's about explaining that situation, of multiple rules, rather than the case of a single policy. — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#17335?email_source=notifications&email_token=ABKWAVCH5XIDTX3AVNA6TDLQRRESPA5CNFSM4JHM3SKKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCKBE6RQ#discussion_r341628666>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKWAVC4FZIMQHPE62DPV5TQRRESPANCNFSM4JHM3SKA> .

[sdarwin]

The point is that AS SOON as one policy selects a pod, rules apply. Whether that is one, two, or 10 additive policies.

That is certainly true.

The original sentence was copied verbatim from kubernetes/kubernetes#75435

An issue is that later in the sentences it refers back to "those policies'" which is plural. If the first part of the sentence switches to singular such as "if any (one) policy", then the later part should switch too.

Example updates:

choice 1: "If any policy selects a pod, the pod is restricted to what is allowed by the union of all applicable policies' ingress/egress rules."

choice 2: "If any policy or policies select a pod, the pod is restricted to what is allowed by the union of all those policies' ingress/egress rules."

perhaps choice 2?

[thockin]

#2 SGTM

…

On Fri, Nov 1, 2019 at 11:42 AM Sam Darwin ***@***.***> wrote: The point is that AS SOON as *one* policy selects a pod, rules apply. Whether that is one, two, or 10 additive policies. That is certainly true. The original sentence was copied verbatim from kubernetes/kubernetes#75435 <kubernetes/kubernetes#75435> An issue is that later in the sentences it refers back to "those policies'" which is plural. If the first part of the sentence switches to singular such as "if any (one) policy", then the later part should switch too. Example updates: choice 1: "If any policy selects a pod, the pod is restricted to what is allowed by the *union* of all applicable policies' ingress/egress rules." choice 2: "If any policy or policies select a pod, the pod is restricted to what is allowed by the *union* of all those policies' ingress/egress rules." perhaps choice 2? — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#17335?email_source=notifications&email_token=ABKWAVHN3F6IXI6OTOJU6DTQRR2BXA5CNFSM4JHM3SKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEC32B3I#issuecomment-548905197>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKWAVADC4LBHIEYD74CG7DQRR2BXANCNFSM4JHM3SKA> .

[cmluciano]

These changes look good per Tim’s comments

/lgtm

[makoscafee]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: makoscafee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/OWNERS [makoscafee]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment