107. Practice Test - Network Policies

How many network policies do you see in the environment?

We have deployed few web applications, services and network policies. Inspect the environment.

$ kubectl get networkpolicies
	NAME             POD-SELECTOR   AGE
	payroll-policy   name=payroll   65s

$ kubectl describe networkpolicies payroll-policy 
	Name:         payroll-policy
	Namespace:    default
	Spec:
	  PodSelector:     name=payroll
	  Allowing ingress traffic:
	    To Port: 8080/TCP
	    From:
	      PodSelector: name=internal
	  Not affecting egress traffic
	  Policy Types: Ingress

# Apenas Pods com label name=internal no namespace que a NetworkPolicy
# foi aplicada poderão realizar requisições ao pod com label name=payroll
# também no mesmo namespace.
$ kubectl get networkpolicies.networking.k8s.io payroll-policy -o yaml
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	  name: payroll-policy
	  namespace: default
	spec:
	  podSelector:
	    matchLabels:
	      name: payroll
	  policyTypes:
		  - Ingress
	  ingress:
		  - from:
			    - podSelector:
			        matchLabels:
			          name: internal
		    ports:
			    - port: 8080
			      protocol: TCP

Untitled

What is the name of the Network Policy? payroll-policy

$ kubectl get networkpolicies.networking.k8s.io
	NAME             POD-SELECTOR   AGE
	payroll-policy   name=payroll   35m

Which pod is the Network Policy applied on?

Baseado no PodSelector da NetworkPolicy, a política será aplicada ao Pod que possuir os labels correspondentes. Neste caso a NetworkPolicy é aplicada ao Pod payroll com labels name=payroll.

$ kubectl get networkpolicies.networking.k8s.io
	NAME             **POD-SELECTOR**   AGE
	payroll-policy   **name=payroll**   35m

$ kubectl get pods --show-labels 
	NAME       READY   STATUS    RESTARTS   AGE   LABELS
	external   1/1     Running   0          36m   name=external
	internal   1/1     Running   0          36m   name=internal
	mysql      1/1     Running   0          36m   name=mysql
	**payroll    1/1     Running   0          36m   name=payroll**

What type of traffic is this Network Policy configured to handle?

É possível descobrir esta informação através dos comandos describe ou get -o yaml analisando o campo policyTypes ou a presença de regras ingress ou egress.

policyTypes List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules. Policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress”.

fonte Creating Network Policies

$ kubectl get networkpolicies.networking.k8s.io payroll-policy -o yaml
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	  name: payroll-policy
	spec:
	  podSelector:
	    matchLabels:
	      name: payroll
	  **policyTypes:
		  - Ingress**
	  **ingress:
		  - from:
			    - podSelector:
			        matchLabels:
			          name: internal**
		    ports:
			    - port: 8080
			      protocol: TCP

What is the impact of the rule configured on this Network Policy?

Untitled

What is the impact of the rule configured on this Network Policy?

Untitled

Create a network policy to allow traffic from the Internal application only to the payroll-service and db-service.

Policy Name: internal-policy
Policy Type: Egress
Egress Allow: payroll