Egress in ex. 19 of "Lab: CKA Mock Exam 3"

Mundofik · December 15, 2024, 1:43pm

Hello, I do not understand why we need to look at and modify the egress in the network policy if the exercise in object.

The netpol is linked to pod cyan-app-cka28-trb and we need to modify it to allow/deny incoming connection to the pod.

kind: NetworkPolicy

podSelector:
    matchLabels:
      app: cyan-app-cka28-trb

So why does the solution want a change to the Egress part as well?

I apply the changes to the ingress and to the port, as per below, and the curl works fine. But the exercise is marked as not passed.

k describe netpol cyan-np-cka28-trb -n cyan-ns-cka28-trb
Name:         cyan-np-cka28-trb
Namespace:    cyan-ns-cka28-trb
Created on:   2024-12-15 12:52:52 +0000 UTC
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     app=cyan-app-cka28-trb
  Allowing ingress traffic:
    To Port: 80/TCP
    From:
      NamespaceSelector: kubernetes.io/metadata.name=default
      PodSelector: app=cyan-white-cka28-trb
  Allowing egress traffic:
    To Port: 80/TCP
    To: <any> (traffic not restricted by destination)
  Policy Types: Ingress, Egress

Thanks

raymond.baoly · December 15, 2024, 3:08pm

Hi Mundofik,

The application listens on port 80, so we need to update the egress rules to allow external requests on port 80.

Everything seems fine on my end. Could you please try again? Let me know if you have any questions.

Mundofik · December 15, 2024, 3:39pm

If the application (the pod) listens on port 80, that listens means for incoming connection, i.e. ingress. Why do we need to touch the egress at all? I do not get it.
Thanks.

raymond.baoly · December 16, 2024, 3:23pm

Yes, you’re correct—we don’t need to set egress here, and we still meet the requirements from the question, as the validation accepts it. You can see in the screenshot below that I set egress to allow all, and it still passed the question. However, please note that if the question specifies something like not removing the egress policy or allowing/restricting egress on certain ports, we should follow those requirements to pass. Hope this helps!