Hi I am having a problem with the mock exam on network policy ? Code snippet no . . .

Edmund Kueh:
Hi I am having a problem with the mock exam on network policy ? Code snippet no 1 is not working, as it is blocking connection from port 80 while code snippet no 2 is the correct….The only difference is the podSelector which I have set to {} which means selecting all pods…. # No 1
spec:
podSelector:
matchLabels:
run: np-test-1
policyTypes:

  • Ingress
    ingress:
  • from:
    • podSelector: {}
      ports:
    • protocol: TCP
      port: 80

No 2

spec:
podSelector:
matchLabels:
run: np-test-1
policyTypes:

  • Ingress
    ingress:
  • from:
    ports:
    • protocol: TCP
      port: 80

Lakshminarayanan Krishnan:
Need to test this one out…however…

Lakshminarayanan Krishnan:
Watch this video by Ahmet Balkan on NetPol: https://www.youtube.com/watch?v=3gGpMmYeEO8

Lakshminarayanan Krishnan:
He explains it clearly

Kicky:
@Edmund Kueh Can u do a describe of the network policy no 1 and see what it says

Lakshminarayanan Krishnan:
@Edmund Kueh / @Kicky okay I figured it out just now

Edmund Kueh:
@Lakshminarayanan Krishnan Thx for sharing the video. After watching the video, I don’t think it has anything to do with logical OR …

Lakshminarayanan Krishnan:
so, the first netpol:

  ingress:
  - from:
    - podSelector: {}
    ports:
    - protocol: TCP
      port: 80

ensures that ingress is allowed only from “all pods” on “port 80”

Lakshminarayanan Krishnan:
the question is asked to "Create NetworkPolicy, by the name ingress-to-nptest that allows incoming connections to the service over port 80"

Lakshminarayanan Krishnan:
when you leave out the podSelector entry from the ingress rule, it enables ingress from all objects (removing the specific selection to pods only) … hopefully that makes sense

Edmund Kueh:
@Lakshminarayanan Krishnan wow, thanks for the experimentation…Got your explanation…

Lakshminarayanan Krishnan:
you can test this … apply the first netpol, and you’ll notice that you are not able to curl the service… however, if you deploy a pod and from within it, you execute a curl to the pod, that works

Lakshminarayanan Krishnan:
within the pod, the service still can’t be curl’d… but the pod can

Lakshminarayanan Krishnan:
enjoi :slightly_smiling_face:

Deekshith Hadil:
@Lakshminarayanan Krishnan What Edmund is doing wrong here?

I tested np-test-1 which works fine for me.

  1. Created a pod with nginx running
  2. Created svc to expose the port.
  3. Create np-test-1 networkpolicy
  4. Created another testpod from where did curl which works fine.

Lakshminarayanan Krishnan:
Edmund’s first policy restricts access to such: pod:80 -> pod:80

We want to be able to curl this way: anywhere:80 to service

Lakshminarayanan Krishnan:
with edmund’s first netpol, you won’t be able to curl to the service from outside / anywhere

Lakshminarayanan Krishnan:
that is because the netpol restricts ingress to the selected pods to be only from pods (because it specifies podSelector: {} under ingress:)

Deekshith Hadil:
So problem is Edmund was using curl from outside of the pod?
From worker/master node to the pod:80 ?

Lakshminarayanan Krishnan:
that is the question … to be able to curl from anywhere (including internet) to be able to access the service