Clarification request for lecture - _*Developing network policies*_ at *10:33 . . .

Kubernetes-Slack Discussions
#1

R:
Clarification request for lecture - Developing network policies at 10:33 -10:44 min mark
Given that the network policy is created in prod namespace:

  1. Ingress from pods in test and dev namespaces is not allowed for the below policy. The first rule only allows traffic from api-pod in the prod namespace as the network policy is created in prod namespace and policy doesn’t mention the namespaceSelector. Is it correct understanding ?
  2. If yes, then two dotted lines from pods in test and dev namespaces shouldn’t be there. “Almost traffic from anywhere is allowed to db pod” as mentioned in the lecture might not be clear given the policy below:
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: db-policy
  namespace: prod
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          name: api-pod
    - namespaceSelector
        matchLabels:
          name: prod
    - ipBlock:
        cidr: 192.168.5.10/32
    ports:
    - protocol: TCP
      port: 3306
#2

Mohamed Ayman:
The policy only allows traffic from api-pod in prod namespace and IP addresses in 192.168.5.10/32 CIDR, it doesn’t allow traffic from other pods or namespaces. If you want to allow traffic from other pods or namespaces, you need to add them to the policy.

#3

Santosh Kaluskar:
In this NetPol, the from list contains three elements. In such cases, each element is processed as OR. So here,
• pod with label role: db will receive traffic from a pod with name: api-pod label in same namespace .
• All the POds in the prod namespace.
• from IP range 92.168.5.10/32
All ingress for above will be limited to port 3306.

You can read more on this in <Network Policies | Kubernetes…-,It%20contains%20two%20elements%20in%20the%20from%20array%2C%20and%20allows%20connections%20from%20Pods%20in%20the%20local%20Namespace%20with%20the%20label%20role%3Dclient%2C%20or%20from%20any%20Pod%20in%20any%20namespace%20with%20the%20label%20user%3Dalice.,-When%20in%20doubt|the docs>