Exam CKA topic 1 question 5 discussion

I think this asnwer is wrong the solution should be apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: internal ports: - protocol: TCP port: 9000

For this question, we should create a label for "internal" namespace in further YAML. # k label ns internal tier=internal apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: tier: internal ports: - protocol: TCP port: 9000

killer_sh_lab: part1 # Changing to port 80 for test purposes # From internal to fubar # netpol is in fubar # ingress is from internal k create ns fubar --labels=’name=fubar’ k run nginx -n=fubar --image nginx --port 80 k create ns internal --labels=’name=internal’ k run nginx2 -n=internal --image nginx --port 80 --labels=’name=internal’

Due to this part: "- does not allow access from Pods, which are not in namespace internal" -means that even pods in namespace fubar should not be able to reach other pods in same namespace. I would suggest to do following : ---- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} # Selects all Pods in the `fubar` namespace policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: internal ports: - protocol: TCP port: 9000 this way Egress is specified but due to fact nothing is defined pod in same NSs are not able to communicate.

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: # Selects Pods in the namespace where the NetworkPolicy is applied matchLabels: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: # Allow traffic only from Pods in the 'internal' namespace matchLabels: name: internal ports: - protocol: TCP port: 9000 # Allow connections to port 9000 egress: - to: - namespaceSelector: # Allow traffic only to Pods in the 'fubar' namespace matchLabels: name: fubar ports: - protocol: TCP port: 9000 # Allow connections to port 9000

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: internal ports: - protocol: TCP port: 9000

I think we need to check my-app labels first to match it,

Tested locally and this worked for me Used Nginx Pod with port set to 9000 in the fubar namespace Used Alpine Pod image alpine/curl in the internal namespace for testing exec into the Alpine Pod and run the command: curl (your nginx pod IP seperated by dashes).fubar.pod.cluster.local:9000 Policy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: "internal" ports: - protocol: TCP port: 9000

I still fail to understand this question. Do they want me to create a policy that allows only traffic on port 9000 from namespace internal (x2 ingress) or do they want to create a network policy to restrict incoming traffic, so that only pods FROM (ingress) internal namespace are allowed and pods TO (egress) port 9000 ?

To one who wonder where this from: kubernetes.io/metadata.name: internal, run: k get ns internal --show-labels

Should we also add deny any any and add NP to access port 9000 in ns foobar, from internal?

Maybe this? apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: matchLabels: - namespaceSelector: matchExpressions: - key: namespace operator: In Values: ["fubar"] policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchExpressions: - key: namespace operator: In Values: ["internal"] ports: - protocol: TCP port: 9000

using this I get an error so I had to use label, at least practicing not in exam yet kubernetes.io/metadata.name: internal

Is there a template during the exam or do we have to write it all from scratch?

Sorry, I disagree with : matchLabels: kubernetes.io/metadata.name: internal I suggest : ingress: - from: - namespaceSelector: matchLabels: items[0].metadata.namespace: internal # from query kubectl get po with jsonpath What do you think ?

They have asked us for namespace internal, hence following is the correct under matchlabels kubernetes.io/metadata.name: internal

no magic: (this policy is ns scoped so no need any labelling on ns) tested, works apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} policyTypes: - Ingress ingress: - from: ports: - protocol: TCP port: 9000