Configuring Network Resources
When configuring some network
resources, you must be aware of certain restrictions.
Limits on Tags and Labels
Tags have the following limits:
- The tag scope has a limit of 128 characters.
- The tag value has a limit of 256 characters.
- Each object can have a maximum of 30 tags.
These limits might cause
issues when Kubernetes or OpenShift annotations are copied to
NSX
scopes
and tags and the limits are exceeded. For example, if a tag is for a switch
port and the tag is used in a firewall rule, the rule might not be applied as
expected because the annotation key or value was truncated when copied to a
scope or tag.
Labels have the following limits:
- A pod can have no more than 25 labels.
- A namespace can have no more than 27 labels.
- An Ingress controller pod can have no more than 24 labels.
Network Policies
A
NetworkPolicy
resource has
the following limitations:- ApodSelectorornamespaceSelectorcannot have more than 4matchLabels.
- In aningress fromsection oregress tosection, if you have a single element that specifies bothnamespaceSelectorandpodSelector, thenamespaceSelectormust not select more than 5 namespaces. Otherwise, you will get an error. An example of such a specification (notice that there is no hyphen beforepodSelector):- namespaceSelector: matchLabels: project: myproject podSelector: matchLabels: role: db
- For any ingress or egress rule, the total number ofnamespaceSelectors pluspodSelectors cannot be more than 5. For example, the following is not allowed because the rule has a total of 6 selectors:ingress: - namespaceSelector: matchLabels: project: myproject1 - namespaceSelector: matchLabels: project: myproject2 - namespaceSelector: matchLabels: project: myproject3 - podSelector: matchLabels: role: db - podSelector: matchLabels: role: app - podSelector: matchLabels: role: infra
- Allow-all-egress network policy withnamedPortsin theto.portssection is not supported.
- In Policy mode, when specifyingmatchExpressionsinpodSelectorornamespaceSelector, at most oneInoperator is allowed. If you specify bothnamespaceSelectorandpodSelector, you can have at most oneInoperator for one of them. You cannot have anInoperator for both of them. For example, the following specification is not allowed:- namespaceSelector: matchExpressions: - {key: key1, operator: In, values: [value1]} podSelector: matchExpressions: - {key: key1, operator: In, values: [value1]}
- In Manager mode, when specifyingmatchExpressionsinpodSelector,namespaceSelector, or bothnamespaceSelectorandpodSelector, there is no restriction on the number ofInoperators.
- Network policy with SCTP in theprotocolfield is not supported.
To work around the limitations, you can
create a network policy with
matchLabels
that are more
specific, or replace one network policy with several network policies that do not
require more than 5 selectors.If a network policy is not supported by NCP, NCP will
annotate it with an error. You can update the network policy to fix the error and
NCP will process it again.
If a network policy has only egress specified but
not ingress, no firewall rule is created for ingress traffic. Similarly, if a
network policy has only ingress specified but not egress, no firewall rule is
created for egress traffic.
When NSX App ID firewall rules are
applied to resources created by NCP, only the "Segment" and "Segment Port" group
membership criteria are supported. Note that the App ID firewall rule feature is
supported only if NCP is configured to use NSX policy API.