Hiiii, in kodekloud course (ckad) , lightnin lab1, second task, what was that? . . .

Kubernetes-Slack Discussions
#1

Romdhane:
Hiiii, in kodekloud course (ckad) , lightnin lab1, second task, what was that??? We were supposed to know why the connection cannot be established and not create a network policy , whyyyy??? What was blocking??

#2

Abdelati EL ASRI:
have you checked what netpols are in the cluster ( k get netpol) I think there is a default deny

#3

Romdhane:
Yess, I checked the network policies and there were none

#4

unnivkn:
Hi @Romdhane please refer the lightning lab solutions video

#5

Romdhane:
@unnivkn in the lab, he didn’t troubleshoot the problem, he just created a network policy without saying xhy

#6

unnivkn:
Hi @Romdhane fyi:

We have deployed a new pod called secure-pod and a service called secure-service. Incoming or Outgoing connections to
this pod are not working. Troubleshoot why this is happening.
Make sure that incoming connection from the pod webapp-color are successful.
Important: Don’t delete any current objects deployed.
Important: Don’t Alter Existing Objects!
Connectivity working?
Weight: 20

k get pods
##find svc port
k get svc

k exec webapp-color -it --sh

nc -zvw 2 secure-service 80

operation timeout

k get netpol
default-deny

k describe netpol default-deny
Allowing Ingress none

k get netpol default-deny -o yaml > netpol.yaml

k get pods --show-labels
run=secure-pod
name=webapp-color

vim netpol.yaml
apiVersion: http://networking.k8s.io/v1|networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-webapp
spec:
podSelector:
matchLabels:
run: secure-pod
policyTypes:

  • Ingress
    #- Egress
    ingress:
  • from:
    • podSelector:
      matchLabels:
      name: webapp-color
      ports:
    • protocol: TCP
      port: 80

k apply -f netpol.yaml
k get netpol
k describe netpol allow-webapp

k exec webapp-color -it --sh

nc -zvw 2 secure-service 80

secure-service (ip:80) open

#7

Romdhane:
@unnivkn thanks for your effort, my problem is why the NC command timed out, we should know why in order to fix it , we won’t just create a network policy for that no?

#8

unnivkn:
Hi @Romdhane timeout is due to the existing default deny network policy, which is not allowing any traffic. So we modified the default deny netpol to a new allow-webapp netpol, which allows ingress traffic.
k exec webapp-color -it --sh

nc -zvw 2 secure-service 80

operation timeout

k get netpol
default-deny

k describe netpol default-deny
Allowing Ingress none

#9

Romdhane:
@unnivkn That was my mistake, I miss interpreted the default network policy, thank you so much

#10

unnivkn:
no worries… you welcome:+1: