SaidBen:
hello guys, I am not sure why my answer to question#5 in mock exam 3 was marked wrong, this is about creating a networkPolicy that allows incoming traffic to port 80, this is what I had as an answer, can you shed some lights on what am I missing? thanks in advance
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: ingress-to-nptest
namespace: default
spec:
podSelector:
matchLabels:
run: np-test-1
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {}
ports:
- protocol: TCP
port: 80
Vasu P:
Please remove namespace and try again. If I remember correctly we need to allow traffic from all pods.
SaidBen:
netpol are namespaced objects; I was able to curl the np-test po from another pod using it’s ip address that lives in the same namespace after applying this policy but couldnt hit np-test pod when Iv tried to curl it thru its service
$ k api-resources --namespaced | grep -i netpol
networkpolicies netpol <http://networking.k8s.io|networking.k8s.io> true NetworkPolicy
Vasu P:
I got confused, thanks
SaidBen:
a namespaced object simply means that it operates within a namespace not at the cluster level
Vasu P:
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: ingress-to-nptest
spec:
podSelector:
matchLabels:
run: np-test-1
ingress:
- from:
ports:
- protocol: TCP
port: 80
policyTypes:
- Ingress
Vasu P:
this one works for me
Vasu P:
I believe podSelector inside from only allows requests from pods.
- podSelector: {}
Mayur Sharma:
@SaidBen
ingress:
- from:
- podSelector: {}
The above expression means it will select all the pods and as namespace selector is not given, it will apply on the namespace of the policy (i.e. default in this case). Hence traffic from other namespace is not allowed.
Hope this helps
SaidBen:
Good point guys! I am wondering if adding namespaceSelector: {} would do it as well; I will try it and let you guys know.
ingress:
- from:
- podSelector: {}
- *namespaceSelector: {}*
ports:
- protocol: TCP
port: 80
SaidBen:
Hey guys, Iv just watched the video about netpol again; according to Mumshad, this should accept the traffic from all pods of ALL namespaces
ingress:
- from:
- podSelector: {}
ports:
- protocol: TCP
port: 80
SaidBen:
I believe this is correct as well bc I was able to reach the pod, the exam answer is probably looking for a specific yaml structure
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
name: ingress-to-nptest
namespace: default
spec:
podSelector:
matchLabels:
run: np-test-1
policyTypes:
- Ingress
ingress:
- *from:*
*- podSelector: {}*
ports:
- protocol: TCP
port: 80
Mayur Sharma:
@SaidBen Have you tried the one you mentioned,
ingress:
- from:
- podSelector: {}
I believe it will block traffic from pods of other namespaces and allow traffic from all the pods from the namespace in which network policy is applied.
And, yes adding namespace selector will give you what you are looking for (allow all traffic from all pods of all namespaces)
namespaceSelector: {}
SaidBen:
I v only tested from within the default namespace and it worked. In the lecture, is says that this should also work from outside the default ns but havent tried it to confirm
Mayur Sharma:
seems, question expect to allow the traffic from same namespace (though it is not clear).