@Steve_Zeng

here in ch10s03 lab we have two objectives for the sake of this discussion :

Hence we create this network policy to achieve this

Edit the db-networkpolicy.yaml file so that only pods with the app: beeper-api label can connect to database pods.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database-policy
  namespace: workshop-support
spec:
  podSelector:
    matchLabels:
      app: beeper-db
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              category: support
          podSelector:
            matchLabels:
              app: beeper-api
      ports:
        - protocol: TCP
          port: 5432

2nd objective is

hence we apply this network policy to achieve this :

Edit the beeper-api-ingresspolicy.yaml file to accept ingress connections from router pods by adding a namespace selector with the policy-group.network.openshift.io/ingress label.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: beeper-api-ingresspolicy
  namespace: workshop-support
spec:
  podSelector: {}
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              policy-group.network.openshift.io/ingress: ""
      ports:
        - protocol: TCP
          port: 8080

so, I think unless we are required to create a default deny all network policy we dont need to create it here.

@Chetan_Tiwary_,

Thanks a lot for the great explaination. I thought it imples a deny-all network policy as it says "must accept only TCP traffic from the beeper-api pods". especally on the second objective, "blocks traffic from other projects" 

I got this confusion because in the guided exercise ch04s04, the requirement looks similar but the solution has declared a dedicate deny-all network policy. 

does the network policy work the same way as a firewall ACLs? i.e. if there is a policy defined to some traffic, then the default action is to deny all other traffic if not defined by any previous policy?

really appreciate it.