Hi Kodekloud team,
I need help in solving the below example question.
Question:
Task: Example
Pod ckad00018-newpod in the ckad00018 namespace to use a NetworkPolicy allowing the Pod to send and receive traffic only to and from the pods web and db
POD → web -->has label → app:web
POD —> db -->has label → app:db
POD → ckad00018-newpod → has label → app: newpod
Note: you must not create, modify, delete any network policy while working on this task.You may use only existing network policies.
Taking it this is not from one of our labs 
Can’t really answer this for you, since I don’t know what network policies already exist in the ckad00018 namespace for whoever created this example.
Do you happen to remember the PodSelector for the Network Policy which is allowing all (for that podSelector)?
Do you mean this?
- {}
I am not sure but the netpol which was allowing all access had a podSelector label which was not {} .
Your question’s a bit vague, so I’m not completely clear what you’re asking. But if you look in the docs, here’s an example of the “full access” netpol rule. Does this help?
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
@sarayuusa
In this case only pod labels needs to be updated.
For example:
…
labels:
app: db
app: web
…
Ok, @sarayuusa
Firstly, is it a killercoda test, if so, which (link please)?
Let’s break this down piece by piece.
POD → web -->has label → app:web
It must look like this
apiVersion: v1
kind Pod:
metadata:
name: web
namespace: ckad00018
labels:
app: web
POD —> db -->has label → app:db
apiVersion: v1
kind Pod:
metadata:
name: db
namespace: ckad00018
labels:
app: db
POD → ckad00018-newpod → has label → app: newpod
apiVersion: v1
kind Pod:
metadata:
name: ckad00018-newpod
namespace: ckad00018
labels:
app: newpod
Now given it says “you must not create, modify, delete any network policy while working on this task”, then there must be some policies already deployed one of which will meet the requirements, and it is very likely as mentioned by @Nahar that you will have to adjust pod labels to fit the correct existing network policy
kubectl get netpol -n ckad00018
The requirements are
It must apply to ckad00018-newpod, therefore you can rule out any that do not have
spec:
podSelector:
matchLabels:
app: newpod
send and receive traffic only to and from. This means it requires both ingress and egress policies, so it must include
policyTypes:
- Ingress
- Egress
the pods web and db - It is going to need the same two podselectors under the ingress.from and egress.to sections
- podSelector:
matchLabels:
app: web
- podSelector:
matchLabels:
app: db
So the complete policy you are looking for would look very much like this
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
namespace: ckad00018
spec:
policyTypes:
- Ingress
- Egress
podSelector:
matchLabels:
app: newpod
ingress:
- from:
- podSelector:
matchLabels:
app: web
- podSelector:
matchLabels:
app: db
egress:
- to:
- podSelector:
matchLabels:
app: web
- podSelector:
matchLabels:
app: db