Network policy Ques

gorkumar · March 28, 2024, 8:35pm

For question on ingress: to create network policy, if question only mentions about creating policy for incoming traffic to a pod (ingress), does that mean we dont mention egress at all (so its blocked) or we assume its allowed and allow all egress?
Same for egress ques- if outgoing traffic from a pod has restrictions, should we assume incoming needs to be allowed?
Let me clear my question with these 2 questions that i came across: In Solution 2, all egress is allowed even if ques only mentions about ingress traffic.

I hope this makes sense. If not, i can try to ask in a different way.

Ques1.
egress ques
create a NetworkPolicy called np-backend in Namespace project-snake. It should allow the backend-* Pods only to:
connect to db1-* Pods on port 1111
connect to db2-* Pods on port 2222
soln:
spec:
podSelector: # pod to which policy is applied to
matchLabels:
app: backend
policyTypes:
- Egress # policy is only about Egress
egress:
- # first rule
to: # first condition “to”
- podSelector:
matchLabels:
app: db1
ports: # second condition “port”
- protocol: TCP
port: 1111
- # second rule
to: # first condition “to”
- podSelector:
matchLabels:
app: db2
ports: # second condition “port”
- protocol: TCP
port: 2222

Ques2:
Ingress Q
restricted pod so a network policy called cyan-np-cka28-trb has been created in the same namespace to apply some restrictions on this pod.
Expectation: This app should only be accessible from the cyan-white-cka28-trb1 pod.
Soln::
here solution added egress and allowed all. shouldn’t we ‘only’ include ingress rules in our policy? why even include egress here when question does not mention it?
(pls ignore mistakes in indentation as my ques is just focusing on what shd be included and what not)
ingress:

from:
- namespaceSelector:
  matchLabels:
  kubernetes.io/metadata.name: default
  podSelector:
  matchLabels:
  app: cyan-white-cka28-trb
ports:
- port: 80
  protocol: TCP

egress:

ports:
- port: 80
  protocol: TCP
  to:
- ipBlock:
  cidr: 0.0.0.0/0

Alistair_KodeKloud · March 28, 2024, 8:45pm

It will make a lot more sense if you repost the policies

in code blocks

so the formatting and indentation is not screwed - because we do need to understand what you are trying to do.

Alistair_KodeKloud · March 28, 2024, 8:50pm

However for the second one, the egress policy is a red herring. Since we are not concerned with egress from the nginx pod, only ingress to it from the other pods, then it does not feature in the solution to this problem so you can ignore it.

gorkumar · March 28, 2024, 11:13pm

so you mean if a questions does not ask to include egress traffic, we just do not include egress in policy?

gorkumar · March 28, 2024, 11:14pm

i will have to find these questions in lab as i am afraid i didn’t save the complete yamls.

Alistair_KodeKloud · March 29, 2024, 8:15am

The question states

Expectation: This app should only be accessible from the cyan-white-cka28-trb pod.
Problem: This app is not accessible from anywhere.

It does not mention anything about egress from the nginx pod, therefore we do not have to do anything with the egress rule unless it affects what the question is asking for, which it isn’t. To remove it would be incorrect if it isn’t affecting what the question wants as (in a real life scenario), it could be there for another reason not stated, and removal would constitute a security risk.

gorkumar · March 29, 2024, 8:28pm

OK got it. Thanks again!!