NetworkPolicy Error?

houariabdelmouhssine · September 13, 2024, 10:02am

Hello,
I have a question about this question in the network policy Lab : “Learn-By-Doing Kubernetes Network Policies”

in the section : Namespace-Based Isolation with Kubernetes Network Policies i have create 3 network policies that will :

Deploy an deny-all-ingress that blacklists all traffic in the cluster.
Allow ingress traffic from frontend pods to middleware
Allow ingress traffic from middleware to the mysql pod

Here is my networkpolicies :

controlplane ~ ✖ ls
deny-all-traffic.yaml  frontend-to-middleware.yaml  middleware-to-mysql.yaml

controlplane ~ ➜  cat deny-all-traffic.yaml 
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress 
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress: []


controlplane ~ ➜  cat frontend-to-middleware.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend-to-middleware 
  namespace: production
spec:
  podSelector:
    matchLabels:
     app: middleware 
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: production 
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 80 



controlplane ~ ➜  cat middleware-to-mysql.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: middleware-to-mysql 
  namespace: production
spec:
  podSelector:
    matchLabels:
     app: mysql
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: production 
    - podSelector:
        matchLabels:
          app: middleware
    ports:
    - protocol: TCP
      port: 3306

In the check button and this is right , he is telling me that the traffic is allowed between frontend pods and mysql svc and i have already deployed an deny policy

I hope that you will tell me if i’am wrong in that or i’m missing something

Thank you

Santosh_KodeKloud · September 13, 2024, 10:47am

Hi @houariabdelmouhssine

Your default deny policy is wrong. You might have been confused between default deny as to default allow. Take a look at the example here.

And, there’s no need to define namespaceSelector in your other policies as you are operating within the same ns and there is a ports block.

Santosh_KodeKloud · September 13, 2024, 11:52am

Please ignore the 2nd part of my reply. Your other two policies contain one from block with two elements. Hence, They operate like a logical OR. So, middleware-tomysql the MySQL pod will accept traffic from frontend pods in the production namespace as well.

So your from block should contain one block as mentioned in task instructions, the following will act like a logical AND.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: middleware-to-mysql 
  namespace: production
spec:
  podSelector:
    matchLabels:
     app: mysql
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: production 
      podSelector:
        matchLabels:
          app: middleware
    ports:
    - protocol: TCP
      port: 3306

houariabdelmouhssine · September 13, 2024, 12:20pm

Thank you so much that was the solution