When integrating Kubernetes via the Antrea CNI, vDefend allows administrators to dynamically group container workloads to apply broad security policies. You can group these workloads by native Kubernetes metadata attributes, specifically their K8s Namespace , the K8s Service they belong to, or their Antrea Egress IP bindings.
However, you cannot use a K8s NetworkPolicy as a grouping criterion. A NetworkPolicy is the actual security rule/enforcement intent applied to the pods, not an identity attribute or label of the pod itself. Grouping by a rule to apply another rule creates a logical conflict, so it is not an available option in the vDefend UI.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit