cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Robert-Craven
Cadet
Cadet
‎10-27-2023 11:33 AM
  • 4,899 Views

DO280 - Question to Lab Ch10.2 - compreview-review

Jump to solution

Hello, 

 

in the tasks for the compreview-review labs we have to configure also an "network policy template" for ingress traffic:

  • Must accept traffic only from within the same workshop or from the ingress controller.

I copied the example for the ingress controller from the official RedHat documentation:

matchLabels:
   policy-group.network.openshift.io/ingress: ""

Chapter 20. Network policy OpenShift Container Platform 4.12 | Red Hat Customer Portal
20.1.1.1. Using the allow-from-router network policy

but the "grade-script" doesn't accept this code. It want the following code:

 

matchLabels:
  network.openshift.io/policy-group: ingress

 


Both codes should be working, or dosn't it?
My question is now how the exam script will accept this kind of answers?

Regards

 

 

Join the discussion
1 Solution

Accepted Solutions
Randy_Thomas
Mission Specialist
Mission Specialist
‎12-04-2023 05:16 PM
  • 3,808 Views

Jump to solution

In edition 3 of the course, released on November 30, 2023, the preferred label is now the default used in the lecture and the lab:

policy-group.network.openshift.io/ingress: ""

The grading script has also be revised to accept either label.

View solution in original post

12 Replies
Chetan_Tiwary_
Community Manager
Community Manager
‎10-27-2023 04:10 PM
  • 4,033 Views

Jump to solution

Hello @Robert-Craven !
Thanks for reaching out !

If I understood it correctly :

To make a project allow only connections from the OpenShift Container Platform Ingress Controller, add the following NetworkPolicy  object :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress
  podSelector: {}
  policyTypes:
  - Ingress

and to Use the following NetworkPolicy to allow external traffic regardless of the router configuration:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-router
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          policy-group.network.openshift.io/ingress: ""
  podSelector: {}
  policyTypes:
  - Ingress

As per the official documentation ( v4.12 )  here : https://docs.openshift.com/container-platform/4.12/networking/network_policy/about-network-policy.ht...  

0 Kudos
DRobitaille
Flight Engineer
Flight Engineer
‎12-04-2023 03:52 PM
  • 3,831 Views

Jump to solution

Can someone then explain to me technically  the note in the very next section in the Open Shift docs (https://docs.openshift.com/container-platform/4.12/networking/network_policy/multitenant-network-pol...) that really seem to imply that both syntax are the similar, but one is the legacy label, while the other is the prefered label to use?

====================

Note:

policy-group.network.openshift.io/ingress: "" is the preferred namespace selector label for OpenShift SDN. You can use the network.openshift.io/policy-group: ingress namespace selector label, but this is a legacy label.

===================

I just want to make sure I use the prefered way, and not use a legacy label, which I assume will go away at one point in the future.  And I assume both are essentially the same???

Chetan_Tiwary_
Community Manager
Community Manager
‎12-04-2023 05:15 PM
  • 3,808 Views

Jump to solution

@alexcorcoles Could you help clarify as it is from DO280v4.12  ch10s02 step 9.5 

Chetan_Tiwary__0-1701710131070.png

 

0 Kudos
alexcorcoles
Flight Engineer
Flight Engineer
‎12-04-2023 05:30 PM
  • 3,805 Views

Jump to solution

Oh, I am not familiar with this part. It seems that Wasim reported an issue about the possibility that we are using a deprecated label- hopefully this will get dealt with soon.

I would also like to explain that the people writing the courses do not have visibility into the exam. This is logical- we can take exams and it wouldn't be fair. However, the people writing the exams look at the courses, so hopefully (having some mistakes is unavoidable), exams are well-aligned with the courses.

alexcorcoles
Flight Engineer
Flight Engineer
‎12-04-2023 05:30 PM
  • 3,804 Views

Jump to solution

Oh, I see Randy just mentioned that the issue has been dealt with

Chetan_Tiwary_
Community Manager
Community Manager
‎12-04-2023 05:46 PM
  • 3,802 Views

Jump to solution

Thanks @alexcorcoles for checking anyways !

0 Kudos
Wasim_Raja
Moderator
Moderator
‎12-04-2023 04:17 PM
  • 3,828 Views

Jump to solution

@Robert-Craven Thank you for reporting, this is a known issue in current lab environment I have already raised this bug with the concerned team and we should get a fix for this soon.

And as far as exams are concerned please be rest assured that this issue will not impact exam environment in any way.

 

0 Kudos
Randy_Thomas
Mission Specialist
Mission Specialist
‎12-04-2023 05:16 PM
  • 3,809 Views

Jump to solution

In edition 3 of the course, released on November 30, 2023, the preferred label is now the default used in the lecture and the lab:

policy-group.network.openshift.io/ingress: ""

The grading script has also be revised to accept either label.

Chetan_Tiwary_
Community Manager
Community Manager
‎12-04-2023 05:45 PM
  • 3,802 Views

Jump to solution

Thanks @Randy_Thomas so this means either label is acceptable. 

FYI @Robert-Craven @DRobitaille 

0 Kudos
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright @ 2025 Red Hat Privacy statement Terms of service Community Guidelines