Bird
Raised Fist0
Kubernetesdevops~5 mins

Network policies for security in Kubernetes - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a Kubernetes Network Policy?
A Kubernetes Network Policy is a set of rules that control how pods communicate with each other and with other network endpoints. It helps secure the cluster by restricting traffic.
Click to reveal answer
beginner
Which Kubernetes resource defines network policies?
The resource is called NetworkPolicy. It is a Kubernetes API object used to specify how groups of pods are allowed to communicate with each other and other network endpoints.
Click to reveal answer
intermediate
What does the podSelector field do in a Network Policy?
The podSelector field selects the pods to which the network policy applies. Only the selected pods will have the traffic rules enforced.
Click to reveal answer
intermediate
How do you allow incoming traffic only from pods in the same namespace using a Network Policy?
You create an ingress rule with from specifying podSelector matching the pods in the same namespace. This restricts incoming traffic to only those pods.
Click to reveal answer
beginner
What happens if no Network Policy selects a pod?
If no Network Policy selects a pod, then by default all traffic is allowed to and from that pod. Network Policies only restrict traffic for selected pods.
Click to reveal answer
What is the default behavior for pod traffic if no Network Policy is applied?
AAll traffic is allowed
BAll traffic is blocked
COnly ingress traffic is allowed
DOnly egress traffic is allowed
Which field in a Network Policy specifies the pods the policy applies to?
ApodSelector
BnamespaceSelector
CpolicyTypes
Dingress
How do you specify that a Network Policy should restrict outgoing traffic?
AUse the ingress field
BUse the egress field
CSet policyTypes to Ingress only
DSet podSelector to empty
What does setting policyTypes: ["Ingress"] do?
ABlocks all traffic
BRestricts only outgoing traffic
CRestricts only incoming traffic
DAllows all traffic
Which selector allows you to restrict traffic from pods in a different namespace?
ApodSelector
BpolicyTypes
CipBlock
DnamespaceSelector
Explain how Kubernetes Network Policies help secure pod communication.
Think about controlling who can talk to whom inside the cluster.
You got /4 concepts.
    Describe the difference between ingress and egress rules in a Network Policy.
    Consider traffic direction relative to the pod.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the main purpose of a Kubernetes NetworkPolicy?
      easy
      A. To update container images automatically
      B. To schedule pods on specific nodes
      C. To manage storage volumes for pods
      D. To control which pods can communicate with each other

      Solution

      1. Step 1: Understand NetworkPolicy role

        A NetworkPolicy defines rules about pod communication inside a Kubernetes cluster.

      2. Step 2: Identify main function

        It controls which pods can send or receive network traffic to improve security.

      3. Final Answer:

        To control which pods can communicate with each other -> Option D

      4. Quick Check:

        NetworkPolicy controls pod communication = A [OK]
      Hint: NetworkPolicy controls pod communication, not scheduling or storage [OK]
      Common Mistakes:
      • Confusing NetworkPolicy with pod scheduling
      • Thinking NetworkPolicy manages storage
      • Assuming NetworkPolicy updates images
      2. Which of the following is the correct way to specify a pod selector in a NetworkPolicy YAML?
      easy
      A. podSelector: labels: role: frontend
      B. podSelector: matchLabels: role: frontend
      C. podSelector: role=frontend
      D. podSelector: role: frontend

      Solution

      1. Step 1: Recall podSelector syntax

        In NetworkPolicy YAML, podSelector uses matchLabels to select pods by labels.

      2. Step 2: Match correct YAML format

        podSelector: matchLabels: role: frontend correctly uses podSelector with matchLabels syntax.

      3. Final Answer:

        podSelector: matchLabels: role: frontend -> Option B

      4. Quick Check:

        Correct podSelector uses matchLabels = C [OK]
      Hint: Use matchLabels map inside podSelector for correct syntax [OK]
      Common Mistakes:
      • Using incorrect YAML indentation
      • Omitting matchLabels key
      • Writing labels without proper mapping
      3. Given this NetworkPolicy snippet, what traffic is allowed? 
      apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-nginx
spec:
  podSelector:
    matchLabels:
      app: nginx
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 80
      medium
      A. Only pods with label role=frontend can access nginx pods on TCP port 80
      B. All pods can access nginx pods on any port
      C. Only pods with label app=nginx can access frontend pods on port 80
      D. No traffic is allowed to nginx pods

      Solution

      1. Step 1: Analyze podSelector and ingress rules

        The policy selects pods with label app: nginx and allows ingress only from pods with role: frontend on TCP port 80.

      2. Step 2: Interpret allowed traffic

        Only pods labeled role=frontend can connect to nginx pods on TCP port 80; other traffic is blocked.

      3. Final Answer:

        Only pods with label role=frontend can access nginx pods on TCP port 80 -> Option A

      4. Quick Check:

        Ingress from role=frontend on port 80 = B [OK]
      Hint: Ingress from podSelector limits source pods and ports [OK]
      Common Mistakes:
      • Assuming all pods can access nginx
      • Confusing source and destination labels
      • Ignoring port restrictions
      4. You wrote this NetworkPolicy but pods labeled role=frontend still cannot access app=nginx pods on port 80. What is wrong? 
      apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-nginx
spec:
  podSelector:
    matchLabels:
      app: nginx
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 8080
      medium
      A. The metadata name is incorrect
      B. The podSelector is missing in the policy
      C. The port in the policy is 8080 but nginx listens on port 80
      D. The protocol TCP is not supported in NetworkPolicy

      Solution

      1. Step 1: Compare port in policy with actual service port

        The policy allows ingress on TCP port 8080, but nginx usually listens on port 80.

      2. Step 2: Identify mismatch causing blocked traffic

        Because the port does not match nginx's listening port, traffic is blocked despite correct podSelector.

      3. Final Answer:

        The port in the policy is 8080 but nginx listens on port 80 -> Option C

      4. Quick Check:

        Port mismatch blocks traffic = D [OK]
      Hint: Check port numbers match service and policy exactly [OK]
      Common Mistakes:
      • Ignoring port mismatch
      • Assuming protocol TCP is unsupported
      • Thinking metadata name affects traffic
      5. You want to create a NetworkPolicy that allows pods labeled role=frontend to access pods labeled app=nginx on port 80, but blocks all other traffic. Which YAML snippet correctly achieves this?
      hard
      A. spec: podSelector: matchLabels: app: nginx ingress: - from: - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 80
      B. spec: podSelector: matchLabels: role: frontend ingress: - from: - podSelector: matchLabels: app: nginx ports: - protocol: TCP port: 80
      C. spec: podSelector: matchLabels: app: nginx egress: - to: - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 80
      D. spec: podSelector: matchLabels: app: nginx ingress: - from: - namespaceSelector: matchLabels: role: frontend ports: - protocol: TCP port: 80

      Solution

      1. Step 1: Identify pods to protect and allowed sources

        The policy must select pods with app: nginx and allow ingress only from pods with role: frontend.

      2. Step 2: Check ingress rules and ports

        spec: podSelector: matchLabels: app: nginx ingress: - from: - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 80 correctly uses podSelector for nginx pods and allows ingress from frontend pods on TCP port 80.

      3. Step 3: Confirm other options are incorrect

        The snippet that selects role: frontend in podSelector but has from app: nginx reverses source and destination; the snippet using egress and to controls outgoing traffic; the snippet using namespaceSelector selects entire namespaces instead of specific pods.

      4. Final Answer:

        spec: podSelector: matchLabels: app: nginx ingress: - from: - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 80 -> Option A

      5. Quick Check:

        Correct podSelector and ingress from frontend pods = A [OK]
      Hint: Select nginx pods and allow ingress from frontend pods on port 80 [OK]
      Common Mistakes:
      • Mixing up podSelector labels
      • Using egress instead of ingress
      • Using namespaceSelector instead of podSelector