Lab Exercise A.3: Practicing Skills. Exercises 27, 28, and 29

alvarobrac

I have questions about exercises 27, 28, and 29. I’m not clear on what the instructions are asking, so I’m outlining my doubts.

Exercise 27 says to create a NetworkPolicy that blocks all traffic (I understand both ingress and egress) only for the pods of the deployment from exercise 25—let’s assume it’s called “sample”—and then verify that it can’t be accessed.

But exercise 28 asks us to create an nginx pod in the Running state (not a deployment) and says we must make sure traffic can reach the deployment (“sample?”) from this pod. How are we supposed to reach it if it’s blocked by the policy in exercise 27?

It’s true that exercise 29 explicitly asks us to update the NetworkPolicy so that access to port 80 is allowed and then verify it.

So, does exercise 28 expect us to reach the sample deployment, or only to reach the nginx pod—thus confirming that we’ve blocked traffic only for the pods in the sample deployment and not for the rest?

Thank you in advance.
Best regards.

chrispokorni

Hi @alvarobrac,

This is an attempt to simplify the approach to resolving these practice scenarios:

Step 25 - create a deployment that launches an nginx application - let's name it sample25.

Step 26 - expose the sample25 deployment through a LoadBalancer service type, and test for a successful connection.

Step 27 - the NetworkPolicy should block traffic only to pods of the sample25 deployment. Keyword is "to" - this helps you determine whether to block "egress" or "ingress" traffic. Also, keep in mind that a generic policy would block access to all applications, while a targeted policy would only restrict access to a specific (targeted) application.

Step 28 - Because of the slight ambiguity of the task, a naked pod or a deployment should be acceptable launching methods for the second nginx application - let's name it sample28. If the NetworkPolicy in step 27 was set correctly (and only blocks traffic to sample25), it should not impact traffic to sample28, therefore the access attempt to sample28 should succeed.

Step 29 - This step dives deeper into the granularity of the NetworkPolicy controls. How do you modify the policy to only allow traffic "to" port 80?

Hope this is of some help

Regards,
-Chris

alvarobrac

Thank you very much, everything is now clear!