Say, I have something like this:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress-to-festiv-app
namespace: default
spec:
podSelector:
matchLabels:
app: festiv
policyTypes:
- Ingress
Will the k8s api-server still be able to reach my app: festiv labeled pod, if its use case is to extend the k8s api-server by leveraging its aggregation layer and is registered as an APIService?
What will the "decision" depend on? Is it how one sets up the api-server itself? Is it based on CNI plugin used? etc
You will need to add the IP address of the API server, taken from this answer.
Use this tool to create and check network policies, and this tool to caculate CIDR blocks.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress-to-festiv-app
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 34.76.197.27/32
egress: []
See here