Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam CKA topic 1 question 5 discussion

Actual exam question from CNCF's CKA
Question #: 5
Topic #: 1
[All CKA Questions]

SIMULATION -


Task -
Create a new NetworkPolicy named allow-port-from-namespace in the existing namespace fubar.
Ensure that the new NetworkPolicy allows Pods in namespace internal to connect to port 9000 of Pods in namespace fubar.
Further ensure that the new NetworkPolicy:
✑ does not allow access to Pods, which don't listen on port 9000
✑ does not allow access from Pods, which are not in namespace internal

Show Suggested Answer Hide Answer
Suggested Answer:



Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
TemitopeWalker
Highly Voted 1 year, 8 months ago
I think this asnwer is wrong the solution should be apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: internal ports: - protocol: TCP port: 9000
upvoted 50 times
...
pentium2000
Highly Voted 1 year, 7 months ago
For this question, we should create a label for "internal" namespace in further YAML. # k label ns internal tier=internal apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: tier: internal ports: - protocol: TCP port: 9000
upvoted 12 times
Jibbajabba
8 months ago
Don't think you need to create a label specifically unless you need to work with multiple namespaces "The Kubernetes control plane sets an immutable label kubernetes.io/metadata.name on all namespaces, the value of the label is the namespace name. While NetworkPolicy cannot target a namespace by its name with some object field, you can use the standardized label to target a specific namespace." I suppose that implies you CAN but you don't HAVE TO.
upvoted 5 times
...
...
Pi_otR
Most Recent 5 months, 3 weeks ago
Due to this part: "- does not allow access from Pods, which are not in namespace internal" -means that even pods in namespace fubar should not be able to reach other pods in same namespace. I would suggest to do following : ---- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} # Selects all Pods in the `fubar` namespace policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: internal ports: - protocol: TCP port: 9000 this way Egress is specified but due to fact nothing is defined pod in same NSs are not able to communicate.
upvoted 2 times
fonte
6 days, 1 hour ago
No need for that... the policy already restricts the traffic to the internal ns. Tested it and even another pod in the fubar ns cannot reach the other pods listening port 9000.
upvoted 1 times
...
...
Alencar_07
7 months, 3 weeks ago
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: # Selects Pods in the namespace where the NetworkPolicy is applied matchLabels: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: # Allow traffic only from Pods in the 'internal' namespace matchLabels: name: internal ports: - protocol: TCP port: 9000 # Allow connections to port 9000 egress: - to: - namespaceSelector: # Allow traffic only to Pods in the 'fubar' namespace matchLabels: name: fubar ports: - protocol: TCP port: 9000 # Allow connections to port 9000
upvoted 1 times
...
Stunomatic
9 months ago
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: internal ports: - protocol: TCP port: 9000
upvoted 1 times
...
aloshari
9 months, 1 week ago
I think we need to check my-app labels first to match it,
upvoted 1 times
...
Shenannigan
11 months, 2 weeks ago
Tested locally and this worked for me Used Nginx Pod with port set to 9000 in the fubar namespace Used Alpine Pod image alpine/curl in the internal namespace for testing exec into the Alpine Pod and run the command: curl (your nginx pod IP seperated by dashes).fubar.pod.cluster.local:9000 Policy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: "internal" ports: - protocol: TCP port: 9000
upvoted 4 times
VivekSolutionArchitect
9 months, 1 week ago
It doesn't work for me when I use port 9000 for nginx, however port 80 works fine. Not sure if I am doing something incorrectly.
upvoted 2 times
...
...
didorins
1 year ago
I still fail to understand this question. Do they want me to create a policy that allows only traffic on port 9000 from namespace internal (x2 ingress) or do they want to create a network policy to restrict incoming traffic, so that only pods FROM (ingress) internal namespace are allowed and pods TO (egress) port 9000 ?
upvoted 1 times
...
Nurbol
1 year, 1 month ago
To one who wonder where this from: kubernetes.io/metadata.name: internal, run: k get ns internal --show-labels
upvoted 3 times
...
sonixrw
1 year, 1 month ago
Should we also add deny any any and add NP to access port 9000 in ns foobar, from internal?
upvoted 1 times
...
ahmedovelshan
1 year, 2 months ago
Maybe this? apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: matchLabels: - namespaceSelector: matchExpressions: - key: namespace operator: In Values: ["fubar"] policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchExpressions: - key: namespace operator: In Values: ["internal"] ports: - protocol: TCP port: 9000
upvoted 2 times
...
kopper2019
1 year, 2 months ago
using this I get an error so I had to use label, at least practicing not in exam yet kubernetes.io/metadata.name: internal
upvoted 2 times
dayody
11 months, 4 weeks ago
me too I got an error using it
upvoted 1 times
...
kopper2019
1 year, 2 months ago
I was using kubernetes.io/metadata.name=echo instead of kubernetes.io/metadata.name: echo apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: my-app spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: echo ports: - protocol: TCP port: 9000
upvoted 2 times
...
...
Sylzys
1 year, 3 months ago
Is there a template during the exam or do we have to write it all from scratch?
upvoted 2 times
...
ramon712
1 year, 4 months ago
Sorry, I disagree with : matchLabels: kubernetes.io/metadata.name: internal I suggest : ingress: - from: - namespaceSelector: matchLabels: items[0].metadata.namespace: internal # from query kubectl get po with jsonpath What do you think ?
upvoted 2 times
ramon712
1 year, 4 months ago
I made an error. So, the answer from Kubernetes's document : kubernetes.io/metadata.name Example: kubernetes.io/metadata.name: "mynamespace" Used on: Namespaces The Kubernetes API server (part of the control plane) sets this label on all namespaces. The label value is set to the name of the namespace. You can't change this label's value. This is useful if you want to target a specific namespace with a label selector.
upvoted 1 times
...
...
rajusai
1 year, 6 months ago
They have asked us for namespace internal, hence following is the correct under matchlabels kubernetes.io/metadata.name: internal
upvoted 2 times
...
Steve122
1 year, 6 months ago
no magic: (this policy is ns scoped so no need any labelling on ns) tested, works apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-port-from-namespace namespace: fubar spec: podSelector: {} policyTypes: - Ingress ingress: - from: ports: - protocol: TCP port: 9000
upvoted 1 times
...
phuongnt
1 year, 8 months ago
I think "kubernetes.io/metadata.name: fubar" is right https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-metadata-name
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
ex Want to SAVE BIG on Certification Exam Prep?
close
ex Unlock All Exams with ExamTopics Pro 75% Off
  • arrow Choose From 1000+ Exams
  • arrow Access to 10 Exams per Month
  • arrow PDF Format Available
  • arrow Inline Discussions
  • arrow No Captcha/Robot Checks
Limited Time Offer
Ends in