Quick question on question Mock Exam 5. We have deployed a new pod called np- . . .

Yanhua Li:
quick question on question Mock Exam 5.

We have deployed a new pod called np-test-1 and a service called np-test-service. Incoming connections to this service are not working. Troubleshoot and fix it.
Create NetworkPolicy, by the name ingress-to-nptest that allows incoming connections to the service over port 80
Important: Don’t delete any current objects deployed.

controlplane $ kubectl describe networkpolicy ingress-to-nptest
Name: ingress-to-nptest
Namespace: default
Created on: 2021-03-14 18:23:46 +0000 UTC
Labels: <none>
Annotations: Spec:
PodSelector: run=np-test-1
Allowing ingress traffic:
To Port: 80/TCP
From: <any> (traffic not restricted by source)
Not affecting egress traffic
Policy Types: Ingress
controlplane $

But when I tried to test the policy, I don’t see the service available on port 80 from test pod.

controlplane $ kubectl run test --image busybox -it --rm --restart=Never – nslookup np-test-service
If you don’t see a command prompt, try pressing enter.
*** Can’t find np-test-service.svc.cluster.local: No answer
*** Can’t find np-test-service.cluster.local: No answer
*** Can’t find np-test-service.default.svc.cluster.local: No answer
*** Can’t find np-test-service.svc.cluster.local: No answer
*** Can’t find np-test-service.cluster.local: No answer

pod “test” deleted
pod default/test terminated (Error)
controlplane $ ^C
controlplane $ kubectl run test --image busybox -it --rm --restart=Never – telnet 10.40.0.2 80
If you don’t see a command prompt, try pressing enter.
Connection closed by foreign host
pod “test” deleted
pod default/test terminated (Error)

Please let me know if I am wrong in the policy definition or the test of the service.

Mohamed Ayman:
Port 53 is used to be able to reach the service using a service name instead of IP. Try to use FQDN for the POD.

Mohamed Ayman:
Check the following:

apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: ingress-to-nptest
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: np-test-1
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector: {}
    ports:
    - protocol: TCP
      port: 80
 
  - ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

Yanhua Li:
Hi MAyman, with an empty podselector for the fiest ingress rule, it will deny any pod from accessing this np-test-1 pod.

Yanhua Li:
controlplane $ kubectl describe networkpolicy ingress-to-nptest
Name: ingress-to-nptest
Namespace: default
Created on: 2021-03-14 20:17:04 +0000 UTC
Labels: <none>
Annotations: Spec:
PodSelector: run=np-test-1
Allowing ingress traffic:
To Port: 80/TCP
From:
PodSelector: <none>
----------
To Port: 53/TCP
To Port: 53/UDP
From: <any> (traffic not restricted by source)
Not affecting egress traffic
Policy Types: Ingress

Yanhua Li:
Now I am on the tsadminserver

What I did is below to allow all pods to access port 80 on pod matching label “run=np-test-1”

ingress:

  • ports:
    • protocol: TCP
      port: 80

Yanhua Li:
Hi @Mohamed Ayman it seems I have the right policy. It is just that telnet np-test-service 80 doesn’t work on a busybox:1.28 test pod. But using “nc -z -n -w 4 np-test-service 80” and “nc -z -n -w 4 IPOFSERVICE 80” do work after sh to the test pod. The question to me is why telnet to port 80 is not working

Manikanta Reddy Buchi:
latest busybox image has issues . here is the reference
https://github.com/docker-library/busybox/issues/48
from the documentation https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/

you can use dnsutils image for dns related debugging.
I have faced the same issue in mock exam 2 and found only busybox:1.28 version working