Hi KodeKloud Team:
in the CKA mock exam 3 Ultimate Certified Kubernetes Administrator (CKA) Mock Exam Series Course | KodeKloud the question 19, does uses as a solution this:
- ports:
- port: 80
protocol: TCP
to:
- ipBlock:
cidr: 0.0.0.0/0
why is not like this:
- ports:
- port: 80
protocol: TCP
- to:
- ipBlock:
cidr: 0.0.0.0/0
I don’t think the 2nd one is even legal. Look at the object hierarchy; an egress block is a list of “egress rules”, which are objects that can contain a “ports” and a “to” sub-block.
Your example #1 is a legal egress rule: it has “ports” and “to” at the same level. Example #2 is not: it has two port items under “ports”, one of which illegally has a “to” sub-block. This will not parse correctly.
Thanks for the reply. Know I know that is a sub-block. But I’m not sure why that syntax works. In the first example I’m seeing the yaml like this:
There is a field named ports, which have a list with port: 80 and protocol: TCP . Then there is the “to” which have another list with ipBlock and his cidr content. But I’m not sure why the “to” is a sub-block, because in the second example should be two lists with their content (Two separate blocks). Why in the first example is a sub-block and not two separate fields like the second one ? I don’t get it.
Have a nice evening!
Probably the best approach here is to become pretty familiar with kubectl explain netpol.spec. You want to break down YAML syntax in something like network policy into its “constituent parts”. For an egress block, this looks like this:
$ k explain netpol.spec.egress
GROUP: networking.k8s.io
KIND: NetworkPolicy
VERSION: v1
FIELD: egress <[]NetworkPolicyEgressRule>
DESCRIPTION:
egress is a list of egress rules to be applied to the selected pods.
Outgoing traffic is allowed if there are no NetworkPolicies selecting the
pod (and cluster policy otherwise allows the traffic), OR if the traffic
matches at least one egress rule across all of the NetworkPolicy objects
whose podSelector matches the pod. If this field is empty then this
NetworkPolicy limits all outgoing traffic (and serves solely to ensure that
the pods it selects are isolated by default). This field is beta-level in
1.8
NetworkPolicyEgressRule describes a particular set of traffic that is
allowed out of pods matched by a NetworkPolicySpec's podSelector. The
traffic must match both ports and to. This type is beta-level in 1.8
FIELDS:
ports <[]NetworkPolicyPort>
ports is a list of destination ports for outgoing traffic. Each item in this
list is combined using a logical OR. If this field is empty or missing, this
rule matches all ports (traffic not restricted by port). If this field is
present and contains at least one item, then this rule allows traffic only
if the traffic matches at least one port in the list.
to <[]NetworkPolicyPeer>
to is a list of destinations for outgoing traffic of pods selected for this
rule. Items in this list are combined using a logical OR operation. If this
field is empty or missing, this rule matches all destinations (traffic not
restricted by destination). If this field is present and contains at least
one item, this rule allows traffic only if the traffic matches at least one
item in the to list.
People look at where the dashes get inserted, and sort of miss the point. The dashes just indicate an item in a list. But a list of what? It tells you: “egress rules”. And what is an “egress rule”? It’s an object that has two fields, each of which is optional: “to” and “ports”.
To get an idea of all of the fields, you drill down using k explain:
$ k explain netpol.spec.egress.ports
GROUP: networking.k8s.io
KIND: NetworkPolicy
VERSION: v1
FIELD: ports <[]NetworkPolicyPort>
which tells you what is legal in this sub-block. But that’s how to build a mental picture of how the YAML is structured: figure out what the blocks are, and what the blocks inside those blocks are. And use k explain to help understand what those are.
Thanks you so much @rob_kodekloud for this reply. I didn’t know the k explain command also. Now I get it when you tell it’s an object.
Once again thanks very much!
Have a nice weekend