Solved: Re: deny all network policy

Steve_Zeng · ‎12-15-2024

Hi,

in DO280 comprehensive review lab 10.3, it requres to setup a network policy "must accept only TCP traffic from the beeper-api pods in the workshop-support namespace on the 5432 port."

However, I do not see a deny-all network policy in the solution. is it really not needed at all?

Thanks,

Randy_Thomas

@Steve_Zeng
The default policy is to allow all traffic. The deny-all policy is handy for changing the default for all pods in the namespace. This is helpful in a project with multiple deployments where you must ensure all network traffic is explicitly configured. However, when there is only a single deployment, the deny-all policy is unnecessary if another policy matches the deployment.

The example from ch04s04 differs from the exam since the target of the deny-all network policy in the "network-policy" project from Chapter 4 contains two deployments.

View solution in original post

Chetan_Tiwary_ · ‎12-17-2024

@Steve_Zeng

here in ch10s03 lab we have two objectives for the sake of this discussion :

Hence we create this network policy to achieve this

Edit the db-networkpolicy.yaml file so that only pods with the app: beeper-api label can connect to database pods.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database-policy
  namespace: workshop-support
spec:
  podSelector:
    matchLabels:
      app: beeper-db
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              category: support
          podSelector:
            matchLabels:
              app: beeper-api
      ports:
        - protocol: TCP
          port: 5432

2nd objective is

hence we apply this network policy to achieve this :

Edit the beeper-api-ingresspolicy.yaml file to accept ingress connections from router pods by adding a namespace selector with the policy-group.network.openshift.io/ingress label.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: beeper-api-ingresspolicy
  namespace: workshop-support
spec:
  podSelector: {}
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              policy-group.network.openshift.io/ingress: ""
      ports:
        - protocol: TCP
          port: 8080

so, I think unless we are required to create a default deny all network policy we dont need to create it here.

Steve_Zeng

@Chetan_Tiwary_,

Thanks a lot for the great explaination. I thought it imples a deny-all network policy as it says "must accept only TCP traffic from the beeper-api pods". especally on the second objective, "blocks traffic from other projects"

I got this confusion because in the guided exercise ch04s04, the requirement looks similar but the solution has declared a dedicate deny-all network policy.

does the network policy work the same way as a firewall ACLs? i.e. if there is a policy defined to some traffic, then the default action is to deny all other traffic if not defined by any previous policy?

really appreciate it.

Randy_Thomas

@Steve_Zeng
The default policy is to allow all traffic. The deny-all policy is handy for changing the default for all pods in the namespace. This is helpful in a project with multiple deployments where you must ensure all network traffic is explicitly configured. However, when there is only a single deployment, the deny-all policy is unnecessary if another policy matches the deployment.

The example from ch04s04 differs from the exam since the target of the deny-all network policy in the "network-policy" project from Chapter 4 contains two deployments.

Chetan_Tiwary_

Thanks @Randy_Thomas for providing your inputs!

Steve_Zeng

@Randy_Thomas,

>>when there is only a single deployment, the deny-all policy is unnecessary if another policy matches the deployment.

Thanks for the great point. that clears out my confusion.