0
0
Kubernetesdevops~20 mins

Network policies for traffic control in Kubernetes - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Network Policy Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
Understanding default behavior of Kubernetes Network Policies

What is the default behavior of pod-to-pod traffic in a Kubernetes cluster when no NetworkPolicy is applied?

AAll pod-to-pod traffic is allowed by default.
BAll pod-to-pod traffic is denied by default.
CTraffic is allowed only within the same namespace.
DTraffic is allowed only if explicitly defined by a NetworkPolicy.
Attempts:
2 left
💡 Hint

Think about Kubernetes default networking model before any policies are applied.

💻 Command Output
intermediate
2:00remaining
Effect of a NetworkPolicy on ingress traffic

Given the following NetworkPolicy YAML applied to namespace dev, what will be the output of kubectl get pods and the connectivity result when a pod in dev tries to receive traffic from a pod in prod?

Kubernetes
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: dev
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector: {}
APods in dev namespace can receive traffic only from pods in dev namespace; traffic from prod namespace is blocked.
BPods in dev namespace can receive traffic from any namespace; no traffic is blocked.
CPods in dev namespace cannot receive any traffic, including from dev namespace pods.
DPods in dev namespace can receive traffic only from pods in prod namespace; traffic from dev namespace is blocked.
Attempts:
2 left
💡 Hint

Look at the from field and the podSelector scope.

Configuration
advanced
2:30remaining
Creating a NetworkPolicy to allow egress only to a specific IP block

Which NetworkPolicy YAML correctly restricts egress traffic from all pods in the default namespace to only the IP block 10.0.0.0/24?

A
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-egress
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.0.0/24
B
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-egress
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
C
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-egress
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
D
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-egress
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.1.0/24
Attempts:
2 left
💡 Hint

Check the policyTypes and the IP block CIDR carefully.

Troubleshoot
advanced
2:00remaining
Diagnosing why a NetworkPolicy is not blocking traffic

You applied a NetworkPolicy to block all ingress traffic to pods in namespace test, but pods still receive traffic from other namespaces. What is the most likely reason?

AThe NetworkPolicy uses an empty <code>podSelector</code>, which selects no pods.
BThe NetworkPolicy is applied to the wrong namespace.
CThe NetworkPolicy allows all ingress traffic explicitly in the <code>ingress</code> section.
DThe NetworkPolicy does not specify <code>policyTypes: [Ingress]</code>, so it is not enforced.
Attempts:
2 left
💡 Hint

Check the namespace where the NetworkPolicy is applied versus where the pods are.

🔀 Workflow
expert
3:00remaining
Order of applying NetworkPolicies to restrict traffic

You want to restrict traffic so that pods in namespace frontend can only receive traffic from pods in namespace backend. Which sequence of steps correctly achieves this?

A1. Apply a NetworkPolicy in <code>frontend</code> allowing ingress from <code>backend</code> pods only.<br>2. Remove any default allow policies.<br>3. Verify connectivity.
B1. Apply a NetworkPolicy in <code>backend</code> allowing egress to <code>frontend</code> pods only.<br>2. Apply a NetworkPolicy in <code>frontend</code> allowing ingress from <code>backend</code> pods only.<br>3. Verify connectivity.
C1. Apply a NetworkPolicy in <code>frontend</code> allowing ingress from <code>backend</code> pods only.<br>2. Apply a NetworkPolicy in <code>frontend</code> allowing ingress from all namespaces.<br>3. Verify connectivity.
D1. Apply a NetworkPolicy in <code>frontend</code> allowing ingress from <code>backend</code> pods only.<br>2. Apply a NetworkPolicy in <code>backend</code> allowing egress to <code>frontend</code> pods only.<br>3. Verify connectivity.
Attempts:
2 left
💡 Hint

Think about both ingress and egress controls and where NetworkPolicies apply.