Can someone please help me with this question in mock exam: We have already deployed an application that consists of frontend, backend, and database pods in the app-ckad namespace. Inspect them.
Your task is to create:
A service frontend-ckad-svcn to expose the frontend pods outside the cluster on port 31100.
A service backend-ckad-svcn to make backend pods to be accessible within the cluster.
A policy database-ckad-svcn to limit access to database pods only to backend pods. Problem is: i have created network policy and created egress on pod db to backend pod but this answer came out incorrect. can anyone please help to resolve. It says i need to create ingress so i am confused how to decided ingress or egress at same time for this question. (edited)
-
Create all your services. Examine the pods and note that despite their names they are all running nginx and listening on port 80. That makes the services easy and can all be done with
k expose podexcept the frontend which you will need to dry-run and edit the YAML to set the node port. -
Create the policy. How do we know if it’s ingress, egress or both?
It says
A policy database-ckad-svcn to limit access to database pods only to backend pods.
It says “A policy”, so there can be only one.
You are asked to limit access to a pod. That means you need to control ingress to the database pod from the pod or pods to be allowed access, in this case backend. This means you create an ingress policy that is attached to the “database” pod that allows ingress from the “backend” pod. Nowhere does it suggest that you need to block outgoing traffic which would be egress.
If you were to think back-to-front on this and say “If I put an egress policy on frontend pod to stop it connecting to database, then that fixes it”. Well, no it doesn’t because what if I came along and deployed another pod. There’s nothing to stop my pod from connecting to the database, because the database’s ingress is unrestricted.