Bird
0
0

You want to allow all pods in namespace 'frontend' to access pods labeled 'role=db' only on port 5432 TCP, but block all other traffic. Which NetworkPolicy YAML snippet correctly achieves this?

hard📝 Workflow Q15 of 15
Kubernetes - Networking
You want to allow all pods in namespace 'frontend' to access pods labeled 'role=db' only on port 5432 TCP, but block all other traffic. Which NetworkPolicy YAML snippet correctly achieves this?
Aspec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: name: frontend ports: - protocol: UDP port: 5432
Bspec: podSelector: matchLabels: role: db ingress: - from: - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 5432
Cspec: podSelector: matchLabels: role: frontend ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: db ports: - protocol: TCP port: 5432
Dspec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: frontend ports: - protocol: TCP port: 5432
Step-by-Step Solution
Solution:

  1. Step 1: Identify podSelector and allowed source

    The policy must select pods with role: db and allow ingress only from pods in namespace 'frontend'. This requires namespaceSelector with correct label key.

  2. Step 2: Check port and protocol correctness

    Port must be 5432 TCP. spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: frontend ports: - protocol: TCP port: 5432 uses correct protocol TCP and correct namespace label key kubernetes.io/metadata.name.

  3. Step 3: Verify other options

    spec: podSelector: matchLabels: role: db ingress: - from: - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 5432 uses podSelector for frontend pods, not namespaceSelector, so it restricts source pods incorrectly. spec: podSelector: matchLabels: role: frontend ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: db ports: - protocol: TCP port: 5432 selects wrong pods and namespaces. spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: name: frontend ports: - protocol: UDP port: 5432 uses wrong protocol UDP and wrong namespace label key.

  4. Final Answer:

    spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: frontend ports: - protocol: TCP port: 5432 -> Option D

  5. Quick Check:

    Correct podSelector, namespaceSelector, TCP port 5432 = A [OK]
Quick Trick: Use podSelector for db pods, namespaceSelector with correct label, TCP port 5432 [OK]
Common Mistakes:
  • Using podSelector instead of namespaceSelector for source
  • Wrong namespace label key
  • Using UDP instead of TCP for port 5432

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More Kubernetes Quizzes
Health Checks and Probes - TCP probe configuration - Quiz 3easy Ingress - TLS termination with Ingress - Quiz 7medium Ingress - Ingress vs LoadBalancer Service decision - Quiz 8hard Ingress - Ingress controllers (Nginx, Traefik) - Quiz 1easy Networking - Container Network Interface (CNI) - Quiz 13medium Resource Management - Vertical Pod Autoscaler concept - Quiz 15hard Scheduling - DaemonSets for per-node workloads - Quiz 6medium Secrets - Why Secrets manage sensitive data - Quiz 3easy Secrets - External secret management integration - Quiz 2easy Secrets - Using Secrets as mounted volumes - Quiz 6medium