Network Policies doubts and questions

Mundofik · December 20, 2024, 4:41pm

Hello,
I am very confused with the topic in object and would like to get some clarification.
I read the k8s docs and watched some videos, but the examples shown are always too easy and quite understandable.

By default all pods can communicate between them, right? We do not need a network policy for that.
So if I create a netpol is to block or deny some connection(s) between pods.

If the exercise says:
I have a deployment my-deploy with label selector app=my-app and I have to create a network policy for its pod to:

a/ Allow incoming traffic only from pods.
b/ Allow incoming traffic from a specific pod with the label app=trusted
c/ Allow outgoing traffic to pods.
d/ Deny all other incoming and outgoing traffic.

What is it asking/saying in reality?

a/ and c/ are already true by default, so no network policy is needed.
d/ If all incoming traffic and all outgoing traffic are allowed, what has to be blocked? What is the meaning of “all other traffic”?

For b/ I can use something like

 ingress:
  - from:
    - podSelector:
        matchLabels:
          app: trusted
      namespaceSelector: {}

My questions are:
With such rule will be allowed only the incoming traffic from pods with label app=trusted in any namespace (and the rest is blocked, see points a and c)
OR will the rest (see points a and c) still be allowed by default?

Then, what will the netpol below do, will it comply with the exercise description?

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: my-app-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: trusted
       namespaceSelector: {}
    - podSelector: {}
       namespaceSelector: {}
  egress:
  - to:
    - podSelector: {}
       namespaceSelector: {}

Thanks in advance.

Mundofik · December 20, 2024, 4:55pm

I have read this thread and have a similar solution posted there too, but it is not working for some reason.
I have also used https://orca.tufin.io to verify my policy and it seems it is good.

The question on whether to use the 2 - from for the OR or just the 2 - is still there for me.

ingress:
    - from:
        - podSelector: {}
           namespaceSelector: {}
    - from:
        - podSelector:
            matchLabels:
              app: trusted
          namespaceSelector: {}

VS.

- from:
    - podSelector:
        matchLabels:
          app: trusted
       namespaceSelector: {}
    - podSelector: {}
       namespaceSelector: {}

rob_kodekloud · December 20, 2024, 7:05pm

I believe that both of your possibilities will work – they will end up generating the same firewall rules.

As as general strategy for learning the topic, I’d note that you have a KodeKloud subscription, since you’ve been doing Ultimate Mock Exam labs. This means that you also have access to a short course we have on network policies. You may want to try that; it will give you more background in how they’re constructed, and will help answer your doubts on the topic.

Mundofik · December 20, 2024, 7:22pm

Wow, that’s great. I was not aware of that course.
Thanks a mil @rob_kodekloud! Enrolling immediately.