Suppose I have 2 network policies, for nodes matching labels "app=database". Suppose:
Even though this is a simple example, how does kubernetes decides which rule wins? In more complex scenarios with several overlapping rules maybe covering similar pods, how would this be managed? E.g.: can we define priorities in Network policies?
Thanks.
Kubernetes network policies right now does not allow deny policies. There are only allow policies. You basically put together all the allowed policies for the pod to get the allowed connections.
When there are one or more network policies on a pod, then all the connections allowed by at least one of the network policies, will be allowed.
So how does the default deny works. It just tells that the allowed connections are none.
A more detailed explanation is available here.