matchExpressions or matchLabels structures.
A Kubernetes Service spec.selector strictly uses a flat map of
equality-based labels. It does not support nested selectors or set-based expressions.
However, Workloads (such as Deployments, ReplicaSets, and DaemonSets) and NetworkPolicies fully support all three selector variations.
The examples below demonstrate how these fields are used across different Kubernetes objects to target Pods.
1. Service Selector (Strictly Equality-Based Map)
matchLabels map, but you do not write
the word matchLabels in a Service manifest.
Example
apiVersion: v1
kind: Service
metadata:
name: payment-service
spec:
ports:
- port: 80
targetPort: 8080
# Services ONLY support this flat key-value syntax
selector:
app: payment-processor
environment: production
app=payment-processor AND
environment=production.
2. Workload Example: Using matchLabels
In a Deployment or ReplicaSet,
matchLabels is a nested map under
spec.selector.
Every key-value pair must match exactly for a Pod to be selected.
Example
apiVersion: apps/v1
kind: Deployment
metadata:
name: payment-deployment
spec:
replicas: 3
selector:
matchLabels:
app: payment-processor
tier: backend
template:
metadata:
labels:
app: payment-processor
tier: backend
spec:
containers:
- name: app
image: nginx:latest
app=payment-processor and
tier=backend.
3. Workload Example: Using matchExpressions
Set-based selectors provide more advanced filtering capabilities than simple equality matching.
Supported operators include:
InNotInExistsDoesNotExist
Example
apiVersion: apps/v1
kind: Deployment
metadata:
name: processing-deployment
spec:
replicas: 2
selector:
matchExpressions:
- key: environment
operator: In
values: [production, staging]
- key: LegacyApp
operator: DoesNotExist
template:
metadata:
labels:
environment: production
spec:
containers:
- name: worker
image: redis:alpine
environment=productionexists in the allowed values list.- The label
LegacyAppdoes not exist.
4. Workload Example: Combining matchLabels and matchExpressions
A Pod must satisfy every condition in both blocks to be selected.
Example
apiVersion: apps/v1
kind: Deployment
metadata:
name: complex-selector-deployment
spec:
replicas: 2
selector:
matchLabels:
tier: frontend
matchExpressions:
- key: release
operator: NotIn
values: [canary, beta]
template:
metadata:
labels:
tier: frontend
release: stable
spec:
containers:
- name: web
image: nginx:alpine
tier=frontendmust exist.releasemust NOT becanaryorbeta.
5. NetworkPolicy Example: Service Alternative
If you need complex selection logic for traffic control, use a Kubernetes NetworkPolicy instead of a Service selector.
NetworkPolicies support both
matchLabels and
matchExpressions.
Example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-payment-access
spec:
podSelector:
matchLabels:
tier: backend
ingress:
- from:
- podSelector:
matchExpressions:
- key: app
operator: In
values: [frontend, API-gateway]
app label is either
frontend or
API-gateway,
and only toward Pods labeled
tier=backend.
Quick Comparison
| Kubernetes Object | matchLabels | matchExpressions | Flat Selector Map |
|---|---|---|---|
| Service | ❌ No | ❌ No | ✅ Yes |
| Deployment | ✅ Yes | ✅ Yes | ❌ No |
| ReplicaSet | ✅ Yes | ✅ Yes | ❌ No |
| DaemonSet | ✅ Yes | ✅ Yes | ❌ No |
| NetworkPolicy | ✅ Yes | ✅ Yes | ❌ No |
No comments:
Post a Comment