CKS - Mock Exam 2 - Q1 - Validation wrong?

ginigangadharan · April 18, 2022, 9:18am

Could you please check the validation for CKS - Mock Exam 2 - Q.1 (NetworkPolicy)

Any pod in the same namespace with the label backend=prod-x12cs .
All pods in the prod-yx13cs namespace.

But the solution is with different labels ?

  podSelector:
    matchLabels:
      run: redis-backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          access: redis
    - podSelector:
        matchLabels:
          backend: prod-x12cs
    ports:
    - protocol: TCP
      port: 6379

I thought it should be with function: redis-backend (as that is the only one label available for the namespace prod-x12cs)

  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              function: redis-backend
        - podSelector:
            matchLabels:
              backend: prod-x12cs

Also for the 2nd namespace (prod-yx13cs) we need to add another rule in the same NetPol right ?

    - from:
        - namespaceSelector:
            matchLabels:
              access: redis
      ports:
        - protocol: TCP
          port: 6379

Tej_Singh_Rana · April 18, 2022, 11:39am

Hi @ginigangadharan ,
Thanks for your valuable input. One of our team members will check and will update you.

Regards,
KodeKloud Support

Dinesh_Kodekloud · April 18, 2022, 6:03pm

Hi @ginigangadharan ,

Thanks for asking the question.
In this question we only want to allow the pods with labels backend=prod-x12cs that exists in the namespace prod-x12cs.

Let’s observe:

  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              function: redis-backend
        - podSelector:
            matchLabels:
              backend: prod-x12cs

The above code snippet can be interpreted as:

allow traffic from all pods in namespace with label function: redis-backend ( not needed ) and pods with labels prod-x12cs in namespace where network policy is created ( needed to complete the task).

And yes for 2nd namespace ( prod-yx13cs ) we need to add another rule in the same NetPol.

A short definition from Kubernetes docs is as follows:

podSelector: This selects particular Pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.

Please take a look at the below link for in-depth explanation:

Hope this helps.
Let us know if you have any other queries.

Regards,
Team Kodekloud

ginigangadharan · April 19, 2022, 3:16am

Great, noted on that. I missed that lines

And yes for 2nd namespace ( prod-yx13cs ) we need to add another rule in the same NetPol.

Hope you will fix it later.