Codruta Pasla:
In lighting lab 1 we have that netpol default-deny. Why can’t we just modify the existing policy? In the solutions section, I saw that another policy was created.
Alistair Mackay:
Correct.
I believe the question states that you shouldn’t modify the default policy.
In the interest of security, you put a default deny in the namespace, then you permit certain traffic to and from selected pods by adding specific policies for them.
Basically doing it that way makes you think about security more.
Allowing everything then making specific deny polices is less secure than denying everything and allowing only specific traffic.
Codruta Pasla:
It makes more sense now, thanks