Mayur Sharma:
Mock test 3, question 5, For me it is unclear of which traffic the question is asking, there is no clarity which traffic to allowed to pod np-test-1, is it
• all pods from all namespace, OR,
ingress:
- from:
- namespaceSelector: {}
• pods within the namespace (default)
ingress:
- from:
- podSelector: {}
@Mumshad Mannambeth @Tej_Singh_Rana @Vijin Palazhi Can you please clear it or help me to understand where it is stated that only default namespace pods are allowed to connect to np-test-1 pod.
Kindly advice
Vijin Palazhi:
Hi Mayur, if a specific namespace or “all namespace” is not specified, stick to the default namespace or the namespace the target pod is created in.
Mayur Sharma:
@Vijin Palazhi Yes, but in solution video, following yaml is used which allows all the traffic from all namespace,
kind: NetworkPolicy
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
metadata:
namespace: default
name: ingress-to-nptest
spec:
podSelector:
matchLabels:
run: np-test-1
ingress:
- ports:
- port: 80
protocol: TCP
This creates the confusion, whether the question asked for default namespace or for all namespace
Vijin Palazhi:
I see - I will update the question then. Thanks for pointing that out. I should have looked at your question better - “since no specific namespace is mentioned, the expectation is that traffic from any pod in any namespace should work”.
Mayur Sharma:
Thanks @Vijin Palazhi for the clarification! 
Mayur Sharma:
@Vijin Palazhi, just want to confirm one more thing, following ingress would accept the traffic from all pods of all namespace, right?
ingress:
- from:
- namespaceSelector: {}
Vijin Palazhi:
correct. namespaceSelector: {} should target all pods in all namespaces.
Mayur Sharma:
@Vijin Palazhi Thanks !!
Vijin Palazhi:
no problem.
The solution you pasted above - just by looking at this config, since a namespace selector is not specified, does it actually allow traffic from all namespaces? Did you test that in your attempt?
Vijin Palazhi:
Ah yes. That is a good resource for network policy practice.
Mayur Sharma:
Which solution you are referring, please paste again ?
Vijin Palazhi:
the one you pasted here:
kind: NetworkPolicy
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
metadata:
namespace: default
name: ingress-to-nptest
spec:
podSelector:
matchLabels:
run: np-test-1
ingress:
- ports:
- port: 80
protocol: TCP
Vijin Palazhi:
this should only allow default namespace, shouldnt it?
Mayur Sharma:
Allowing all traffic from all namespace, I tested on lab,
• created ns other
• created the temp pod and run nc -z -v -w <service name> 80
it returned me open.
Vijin Palazhi:
i see, I would also recommend, you test the same after removing the netpol you created…
The weave plugin in the labs sometimes does act up and does not enforce the policy.
Something we are aiming to fix as part of the upgrade to the new labs soon
Mayur Sharma:
Yeah, I also noticed that weave plugin was in error state in that lab
Mayur Sharma:
Sue, will test it again
Vijin Palazhi:
that means the netpol was not enforced (even if your configuration is correct)
I think the solution (under normal working conditions) will only restrict the connectivity to the default namespace (and not open to all).
Mayur Sharma:
I am basically confused and want to know, what to remember going forward 
So, back to stage 1, you are saying
“if a specific namespace or “all namespace” is not specified, stick to the default namespace or the namespace the target pod is created in.”
Vijin Palazhi:
This question - looking at the solution does expect incoming connection from the same namespace. But I can see that its not clearly explained in the question - so I will update it now so that it is not ambiguous.
