Afsal M A:
Can someone create a NetworkPolicy with the below details ?
Create a NetworkPolicy named allow-port-from-namespace in the existing namespace echo. Ensure that the new NetworkPolicy allows Pods in namespace my-app to connect to port 8080 of Pods in namespace echo.
Ensure the below
* does not allow access to Pods, which don't listen on port 8080
* does not allow access from Pods, which are not in namespace my-app
J.S.:
@Afsal M A: I believe, the network policy should look like below:
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-port-from-namespace
namespace: echo
spec:
podSelector:
matchLabels: {}
policyTypes:
Waiting for the confirmation from rest of the team members as well.
Afsal M A:
@J.S. but there are no such labels name: my-app set on the Namespace my-app , In that case what will we do ?
J.S.:
@Afsal M A
I believe, pod labels is a mandate field and we cannot skip that. The workaroud would be, pleace a label on the pods and then apply this policy.
“While NetworkPolicy cannot target a namespace by its name with some object field, you can use the standardized label to target a specific namespace.”
FYI: https://kubernetes.io/docs/concepts/services-networking/network-policies/#targeting-a-namespace-by-its-name
Afsal M A:
@J.S. I think we can use like this.
- namespaceSelector:
matchLabels:
<http://kubernetes.io/metadata.name|kubernetes.io/metadata.name>: my-app
Afsal M A:
default labels are created when a namespace is created - in Kubernetes v1.21 <https://github.com/kubernetes/kubernetes/issues/88253#issuecomment-798793953>
J.S.:
@Afsal M A This should be the correct answer
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-port-from-namespace
namespace: echo
spec:
podSelector:
matchLabels: {}
policyTypes:
To verify it, try creating a new namespace then run “kubectl get ns (namespace name) -o yaml”, you will see the name coloumn in that. That name is what we have selected in the above solution.
Daniel Henson:
In this case, the only label assigned by default to a namespace is its name, as shown here:
Afsal M A:
yes @Daniel Henson we need to use this
- namespaceSelector:
matchLabels:
<http://kubernetes.io/metadata.name|kubernetes.io/metadata.name>: my-app
Afsal M A:
@Daniel Henson but it is only available from the version V1.21
<https://github.com/kubernetes/kubernetes/issues/88253#issuecomment-798793953>
Daniel Henson:
Ah! I see. I missed that above. In that case, why not apply a label to the namespace yourself, so that your network policy can select it?
Afsal M A:
but in CKA exam, is it allowed to set the new labels on the namespaces if it is not there?
Daniel Henson:
So the rule of thumb for the exam is that if the question is asking you to do something, it is already possible to do it. In other words, if they expect you to select a namespace for a network policy, that namespace will already be labeled appropriately.
In fact, in some instances you are told explicitly not to change existing resources. Also keep in mind that the exam is running v1.22, so namespaces will be labeled by default. 
seand:
fun thread to read 
very helpful information, thanks all
i have some queries regarding the same topic,
Here the namespaceSelector: allowing the traffic from labelled namespace right?
in this case podSelector: {} is necessary ?
Thank You…!!!
Hi diegoashraf,
I think you replied to the wrong daniel. However, we’re all here to learn, so while this is probably above my current kcad course (or I’m just not at that part yet), i’ll try to answer the question.
If I take a quick look at kubectl explain networkpolicies.networking.k8s.io.spec.ingress.from, we can see the following entries:
namespaceSelector with empty podSelector will yield the same result as providing it without podSelector.
Also, be sure to note that there’s a difference in combining a namespaceSelector together with a podSelector, and providing a namespaceSelector AND podSelector. As can be read here Network Policies | Kubernetes.