Mohamad Alhussein:
Hi team, why we are using the “pod selectors” in the solution of below network policy question in the course’s practice test? We were asked to allow the egress traffic to the “service” and not to “pod”. i think we should use cidr ip addresses in the “to” field of the netpol rather than the pod selectors of the pods themselves. What do you think guys ? May be the question should have to be reworded to say “to payroll pod” instead of “to payroll-service” for example ?
Alistair Mackay:
It is a question of semantics. In the real exam it is likely to be worded similarly if the target is a group of pods behind a service, eg a deployment.
The calling application (internal) in this case calls the dns address of the service, but a kubernetes service is a logical entity only. Network policies apply to pods or namespaces, and always to these when referring to Kubernetes objects.
Pod, and even service IPs could change over time making a CIDR ineffective, but pod labels do not unless you edit them yourself.
The implication in the question is “The pods represented by the given service”, so the netpol selector is the same as the service selector.
Mohamad Alhussein:
Thank you very much @Alistair Mackay, i got you no issues, so in all cases we use pod selectors or namespace selectors even if the question is talking about a service. CIDR will be used only for entities outside the Kubernetes environment (ex: backup server).
Alistair Mackay:
Yes
Mohamad Alhussein:
Much Appreciated, it is clear now 