Edmund Kueh:
Hi I am having a problem with the mock exam on network policy ? Code snippet no 1 is not working, as it is blocking connection from port 80 while code snippet no 2 is the correct….The only difference is the podSelector which I have set to {} which means selecting all pods…. # No 1
spec:
podSelector:
matchLabels:
run: np-test-1
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {}
ports:
- protocol: TCP
port: 80
No 2
spec:
podSelector:
matchLabels:
run: np-test-1
policyTypes:
- Ingress
ingress:
- from:
ports:
Lakshminarayanan Krishnan:
Need to test this one out…however…
Lakshminarayanan Krishnan:
Watch this video by Ahmet Balkan on NetPol: https://www.youtube.com/watch?v=3gGpMmYeEO8
Lakshminarayanan Krishnan:
He explains it clearly
Kicky:
@Edmund Kueh Can u do a describe of the network policy no 1 and see what it says
Lakshminarayanan Krishnan:
@Edmund Kueh / @Kicky okay I figured it out just now
Edmund Kueh:
@Lakshminarayanan Krishnan Thx for sharing the video. After watching the video, I don’t think it has anything to do with logical OR …
Lakshminarayanan Krishnan:
so, the first netpol:
ingress:
- from:
- podSelector: {}
ports:
- protocol: TCP
port: 80
ensures that ingress is allowed only from “all pods” on “port 80”
Lakshminarayanan Krishnan:
the question is asked to “Create NetworkPolicy, by the name ingress-to-nptest
that allows incoming connections to the service over port 80
”
Lakshminarayanan Krishnan:
when you leave out the podSelector entry from the ingress rule, it enables ingress from all objects (removing the specific selection to pods only) … hopefully that makes sense
Edmund Kueh:
@Lakshminarayanan Krishnan wow, thanks for the experimentation…Got your explanation…
Lakshminarayanan Krishnan:
you can test this … apply the first netpol, and you’ll notice that you are not able to curl the service… however, if you deploy a pod and from within it, you execute a curl to the pod, that works
Lakshminarayanan Krishnan:
within the pod, the service still can’t be curl’d… but the pod can
Lakshminarayanan Krishnan:
enjoi
Deekshith Hadil:
@Lakshminarayanan Krishnan What Edmund is doing wrong here?
I tested np-test-1 which works fine for me.
- Created a pod with nginx running
- Created svc to expose the port.
- Create np-test-1 networkpolicy
- Created another testpod from where did curl which works fine.
Lakshminarayanan Krishnan:
Edmund’s first policy restricts access to such: pod:80 -> pod:80
We want to be able to curl this way: anywhere:80 to service
Lakshminarayanan Krishnan:
with edmund’s first netpol, you won’t be able to curl to the service from outside / anywhere
Lakshminarayanan Krishnan:
that is because the netpol restricts ingress to the selected pods to be only from pods (because it specifies podSelector: {}
under ingress:
)
Deekshith Hadil:
So problem is Edmund was using curl from outside of the pod?
From worker/master node to the pod:80 ?
Lakshminarayanan Krishnan:
that is the question … to be able to curl from anywhere (including internet) to be able to access the service