0
0
Kubernetesdevops~20 mins

Network policies for security in Kubernetes - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Network Policy Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
Understanding Kubernetes Network Policy Default Behavior

In Kubernetes, what is the default behavior of pod-to-pod communication when no network policies are applied?

APods can only communicate within the same namespace by default.
BNo pods can communicate with each other unless explicitly allowed.
CAll pods can communicate with each other without restrictions.
DPods can communicate only if they share the same label.
Attempts:
2 left
💡 Hint

Think about the default openness of pod networking before any restrictions are set.

💻 Command Output
intermediate
2:00remaining
Effect of a Deny-All Ingress Network Policy

Given the following NetworkPolicy YAML applied to a namespace, what will be the effect on pod ingress traffic?

Kubernetes
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress
AAll incoming and outgoing traffic will be blocked.
BAll incoming traffic to pods in the namespace will be blocked.
COnly traffic from pods with matching labels will be allowed.
DNo effect; traffic remains unrestricted.
Attempts:
2 left
💡 Hint

Consider what an empty podSelector and only Ingress policyTypes imply.

Configuration
advanced
2:30remaining
Allowing Ingress Only from Specific Namespace

Which NetworkPolicy configuration correctly allows ingress traffic only from pods in the namespace labeled team=frontend?

A
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-frontend
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          team: frontend
  policyTypes:
  - Ingress
B
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-frontend
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          team: backend
  policyTypes:
  - Ingress
C
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-frontend
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          role: frontend
  policyTypes:
  - Ingress
D
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-frontend
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector:
        matchLabels:
          team: frontend
  policyTypes:
  - Ingress
Attempts:
2 left
💡 Hint

Focus on the difference between namespaceSelector and podSelector and the label keys.

Troubleshoot
advanced
2:00remaining
Diagnosing Blocked Pod Communication Despite NetworkPolicy

A developer reports that pods in namespace dev cannot receive traffic from pods in namespace test even though a NetworkPolicy allows ingress from test. What is a likely cause?

AThe NetworkPolicy is applied to the <code>test</code> namespace instead of <code>dev</code>.
BThe NetworkPolicy is missing the <code>egress</code> policy type.
CThe pods in <code>dev</code> do not have the label specified in the NetworkPolicy's <code>podSelector</code>.
DThe <code>test</code> namespace lacks the label used in the NetworkPolicy's <code>namespaceSelector</code>.
Attempts:
2 left
💡 Hint

Check if the source namespace matches the label selector in the policy.

🔀 Workflow
expert
3:00remaining
Sequence to Secure a Kubernetes Namespace with Network Policies

Arrange the steps in the correct order to secure a Kubernetes namespace by restricting all ingress traffic except from a trusted namespace.

A1,2,3,4
B2,1,3,4
C1,3,2,4
D2,3,1,4
Attempts:
2 left
💡 Hint

Think about labeling first, then defining policies, then applying them.