cancel
Showing results for 
Search instead for 
Did you mean: 
Steve_Zeng
Mission Specialist
Mission Specialist
  • 104 Views

deny all network policy

Hi,

in DO280 comprehensive review lab 10.3, it requres to setup a network policy "must accept only TCP traffic from the beeper-api pods in the workshop-support namespace on the 5432 port."

However, I do not see a deny-all network policy in the solution. is it really not needed at all? 

Thanks,

2 Replies
Chetan_Tiwary_
Community Manager
Community Manager
  • 36 Views

@Steve_Zeng

Chetan_Tiwary__0-1734455575453.png

 

here in ch10s03 lab we have two objectives for the sake of this discussion :

Chetan_Tiwary__1-1734455603132.png

Hence we create this network policy to achieve this

Edit the db-networkpolicy.yaml file so that only pods with the app: beeper-api label can connect to database pods.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database-policy
  namespace: workshop-support
spec:
  podSelector:
    matchLabels:
      app: beeper-db
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              category: support
          podSelector:
            matchLabels:
              app: beeper-api
      ports:
        - protocol: TCP
          port: 5432

2nd objective is

Chetan_Tiwary__2-1734455692101.png

hence we apply this network policy to achieve this :

Edit the beeper-api-ingresspolicy.yaml file to accept ingress connections from router pods by adding a namespace selector with the policy-group.network.openshift.io/ingress label.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: beeper-api-ingresspolicy
  namespace: workshop-support
spec:
  podSelector: {}
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              policy-group.network.openshift.io/ingress: ""
      ports:
        - protocol: TCP
          port: 8080

 

so, I think unless we are required to create a default deny all network policy we dont need to create it here.

 

0 Kudos
Steve_Zeng
Mission Specialist
Mission Specialist
  • 12 Views

@Chetan_Tiwary_,

Thanks a lot for the great explaination. I thought it imples a deny-all network policy as it says "must accept only TCP traffic from the beeper-api pods". especally on the second objective, "blocks traffic from other projects

I got this confusion because in the guided exercise ch04s04, the requirement looks similar but the solution has declared a dedicate deny-all network policy. 

does the network policy work the same way as a firewall ACLs? i.e. if there is a policy defined to some traffic, then the default action is to deny all other traffic if not defined by any previous policy?

really appreciate it. 

 

0 Kudos
Join the discussion
You must log in to join this conversation.