cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
fannullone
Flight Engineer
Flight Engineer
‎03-09-2024 08:47 PM
  • 978 Views

do280-4.12 compreview grading of the networkpolicy

the grading tool is reporting the following fail:

 

FAIL    Validating the network policy in the grading-project-klz project
        - Expected ingress selector not found: {'namespaceSelector': {'matchLabels': {'workshop': 'grading-project-klz'}}}

 

But I think that my formulation is correct:

 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: workshop
  namespace: do280
spec:
  ingress:
  - from:
    - podSelector: {}
    - namespaceSelector:
        matchLabels:
          policy-group.network.openshift.io/ingress: ""
  podSelector: {}
  policyTypes:
  - Ingress

 

In fact the policy is in namespace do280 and therefore 'from: podSelector: {}' select all and only pods of the same namespace, which is matching the requirement.
This is also according to the example in the documentation:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html-single/networki...

To make pods accept connections from other pods in the same project, but reject all other connections from pods in other projects, add the following NetworkPolicy object:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-same-namespace
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector: {}

 

I tested my policy and works as expected.

Join the discussion
4 Replies
Chetan_Tiwary_
Community Manager
Community Manager
‎03-18-2024 07:13 PM
  • 902 Views

@fannullone  are you talking about Ch10s03 comp- review lab   in DO280v4.12 ?

I can see this in step 12.2 :

Chetan_Tiwary__0-1710789099957.png

Also paste an screenshot of the same - I will try to reproduce the same and will then escalate to the appropriate team.

0 Kudos
Chetan_Tiwary_
Community Manager
Community Manager
‎03-18-2024 07:17 PM
  • 902 Views

step 11.3 says this : Configure network policies to allow only TCP ingress traffic on port 5432 to database pods from the beeper-api pods :

Chetan_Tiwary__2-1710789354551.png

You mean to say both the network policies are wrong ? or is your solution satsifying the lab objective ?

Also do note that the grading script is hard coded to match names, namespaces, labels, app names , service names, router names , port number etc which is exclusively specified in the lab - make sure you give the exact same names of objects and values in the respective fields. 

0 Kudos
fannullone
Flight Engineer
Flight Engineer
‎03-18-2024 07:43 PM
  • 898 Views

what I mean is that below spec is sufficient to meet the requirement and that it is not necessary to include a logical AND with namespaceSelector as ^^, because the policy is applied to the namespace workshop-support and so the nameSpaceSelector is automatically verified:

spec:
  ingress:
  - from:
    - podSelector: {}
    - namespaceSelector:
        matchLabels:
          policy-group.network.openshift.io/ingress: ""
0 Kudos
MalborBoss
Flight Engineer
Flight Engineer
‎04-14-2024 10:56 AM
  • 740 Views

I've had the same observation. I think that he is talking about ch10s02:

MalborBoss_0-1713088431964.png


There's no need to specify labelSelector of workshop: template-test to alllow traffic from the same namespace, because I believe that just '-podSelector: {}' by itself specifies that.

0 Kudos
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2024 Red Hat, Inc. Privacy policy Terms of use