I cannot get my grips around this. How does the solution allow for pod from the prod-yx13cs namespace to access the redis-backend pod given the solution beneath?
A pod called redis-backend has been created in the prod-x12cs namespace. It has been exposed as a service of type ClusterIP. Using a network policy called allow-redis-access, lock down access to this pod only to the following:
- Any pod in the same namespace with the label
backend=prod-x12cs.
- All pods in the
prod-yx13cs namespace.
All other incoming connections should be blocked.
Use the existing labels when creating the network policy.
Solution
Create a network policy using the YAML below:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-redis-access
namespace: prod-x12cs
spec:
podSelector:
matchLabels:
run: redis-backend
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
access: redis
- podSelector:
matchLabels:
backend: prod-x12cs
ports:
- protocol: TCP
port: 6379
Note the following:
root@controlplane ~ ➜ k get ns prod-yx13cs --show-labels
NAME STATUS AGE LABELS
prod-yx13cs Active 51s access=redis,kubernetes.io/metadata.name=prod-yx13cs
So the label access=redis will match the prod-yx13cs namespace. It’s also the only namespace that will do so:
root@controlplane ~ ➜ k get ns -l access=redis
NAME STATUS AGE
prod-yx13cs Active 4m49s
Thank you for your swift answer. However, I find the solution provided to be a bit weak as you could easily label any namespace with access=redis, thus make the network policy somewhat easy to circumvent.
I thought by using an immutable value like the “kubernetes.io/metadata.name” you would restrict the access to a specific namespace, and not just one that have a certain label. I the questions was styled like “expose the service to any pod in a namespace with the label xyz…” it would at least to me be clear that the network policy was geared towards labels, and not namespaces as it to me is a big difference. At work we are never traversing namespaces soly based on labels as the are in nature very easy to manipulate. I am very happy if you could set me straight here as this question has bugged me for weeks.
Regards
Frode
Generally speaking you would use the kubernetes.io/metadata.name value. In the case of the mock exam, the grader wants to see you know that an arbitrary label will work, and therefore does not accept that particular answer.
You’d also, however, tend to restrict your users to particular namespaces as a security measure using RBAC according to “need to access”, which would also help with the problem you refer to.
Generally speaking you would use the kubernetes.io/metadata.name value. In the case of the mock exam, the grader wants to see you know that an arbitrary label will work, and therefore does not accept that particular answer.
and what about real CKS exam ? Can we use kubernetes.io/metadata.name ?
@alex.hha Probably. Read the questions carefully; usually they will make clear what they expect.