cancel
Showing results for 
Search instead for 
Did you mean: 
Steve_Zeng
Mission Specialist
Mission Specialist
  • 352 Views

deny all network policy

Jump to solution

Hi,

in DO280 comprehensive review lab 10.3, it requres to setup a network policy "must accept only TCP traffic from the beeper-api pods in the workshop-support namespace on the 5432 port."

However, I do not see a deny-all network policy in the solution. is it really not needed at all? 

Thanks,

1 Solution

Accepted Solutions
Randy_Thomas
Mission Specialist
Mission Specialist
  • 236 Views

@Steve_Zeng 
The default policy is to allow all traffic.  The deny-all policy is handy for changing the default for all pods in the namespace.  This is helpful in a project with multiple deployments where you must ensure all network traffic is explicitly configured.  However, when there is only a single deployment, the deny-all policy is unnecessary if another policy matches the deployment.

The example from ch04s04 differs from the exam since the target of the deny-all network policy in the  "network-policy" project from Chapter 4 contains two deployments.  

View solution in original post

5 Replies
Chetan_Tiwary_
Community Manager
Community Manager
  • 284 Views

@Steve_Zeng

Chetan_Tiwary__0-1734455575453.png

 

here in ch10s03 lab we have two objectives for the sake of this discussion :

Chetan_Tiwary__1-1734455603132.png

Hence we create this network policy to achieve this

Edit the db-networkpolicy.yaml file so that only pods with the app: beeper-api label can connect to database pods.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database-policy
  namespace: workshop-support
spec:
  podSelector:
    matchLabels:
      app: beeper-db
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              category: support
          podSelector:
            matchLabels:
              app: beeper-api
      ports:
        - protocol: TCP
          port: 5432

2nd objective is

Chetan_Tiwary__2-1734455692101.png

hence we apply this network policy to achieve this :

Edit the beeper-api-ingresspolicy.yaml file to accept ingress connections from router pods by adding a namespace selector with the policy-group.network.openshift.io/ingress label.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: beeper-api-ingresspolicy
  namespace: workshop-support
spec:
  podSelector: {}
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              policy-group.network.openshift.io/ingress: ""
      ports:
        - protocol: TCP
          port: 8080

 

so, I think unless we are required to create a default deny all network policy we dont need to create it here.

 

0 Kudos
Steve_Zeng
Mission Specialist
Mission Specialist
  • 260 Views

@Chetan_Tiwary_,

Thanks a lot for the great explaination. I thought it imples a deny-all network policy as it says "must accept only TCP traffic from the beeper-api pods". especally on the second objective, "blocks traffic from other projects

I got this confusion because in the guided exercise ch04s04, the requirement looks similar but the solution has declared a dedicate deny-all network policy. 

does the network policy work the same way as a firewall ACLs? i.e. if there is a policy defined to some traffic, then the default action is to deny all other traffic if not defined by any previous policy?

really appreciate it. 

 

Randy_Thomas
Mission Specialist
Mission Specialist
  • 237 Views

@Steve_Zeng 
The default policy is to allow all traffic.  The deny-all policy is handy for changing the default for all pods in the namespace.  This is helpful in a project with multiple deployments where you must ensure all network traffic is explicitly configured.  However, when there is only a single deployment, the deny-all policy is unnecessary if another policy matches the deployment.

The example from ch04s04 differs from the exam since the target of the deny-all network policy in the  "network-policy" project from Chapter 4 contains two deployments.  

Chetan_Tiwary_
Community Manager
Community Manager
  • 227 Views

Thanks @Randy_Thomas for providing your inputs!

0 Kudos
Steve_Zeng
Mission Specialist
Mission Specialist
  • 204 Views

@Randy_Thomas,

 >>when there is only a single deployment, the deny-all policy is unnecessary if another policy matches the deployment.

Thanks for the great point. that clears out my confusion.

Join the discussion
You must log in to join this conversation.