Solved: DO280 - Question to Lab Ch10.2 - compreview-review - Page 2

Robert-Craven · ‎10-27-2023

Hello,

in the tasks for the compreview-review labs we have to configure also an "network policy template" for ingress traffic:

Must accept traffic only from within the same workshop or from the ingress controller.

I copied the example for the ingress controller from the official RedHat documentation:

matchLabels:
   policy-group.network.openshift.io/ingress: ""

Chapter 20. Network policy OpenShift Container Platform 4.12 | Red Hat Customer Portal
20.1.1.1. Using the allow-from-router network policy

but the "grade-script" doesn't accept this code. It want the following code:

matchLabels:
  network.openshift.io/policy-group: ingress

Both codes should be working, or dosn't it?
My question is now how the exam script will accept this kind of answers?

Regards

Wasim_Raja · ‎12-04-2023

@Randy_Thomas Thank you for the confirmation.

Steve_Zeng

aside from the label, do we also need to specifially define a deny-all policy to make sure "a project allow only connections from the OpenShift Container Platform Ingress Controller"?

Thanks,

Chetan_Tiwary_

@Steve_Zeng To make a project allow only connections from the OpenShift Container Platform Ingress Controller, add the following NetworkPolicy object.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingress
podSelector: {}
policyTypes:
- Ingress