Linux Foundation CKS Exam - Topic 6 Question 66 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 66
Topic #: 6

[All CKS Questions]

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context dev A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

Task: Create a new default-deny NetworkPolicy nameddeny-networkin the namespacetestfor all traffic of type Ingress + Egress

The new NetworkPolicy must deny all Ingress + Egress traffic in the namespacetest.

Apply the newly createddefault-denyNetworkPolicy to all Pods running in namespacetest.

You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

AExplanation:
master1 $k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
$vim netpol.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $k apply -f netpol.yaml
Explanation
controlplane $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
master1 $ vim netpol1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml

Reference:
https://kubernetes.io/docs/concepts/services-networking/network-policies/
Explanation
controlplane $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
master1 $ vim netpol1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml

Reference:
https://kubernetes.io/docs/concepts/services-networking/network-policies/

Show Suggested Answer

Suggested Answer: A

by Jesusita at Sep 17, 2024, 02:06 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Gregg

3 months ago

I thought you could still allow some traffic with exceptions?

upvoted 0 times

...

Bernardo

3 months ago

Yup, that's how you keep things secure in Kubernetes!

upvoted 0 times

...

Darell

3 months ago

Wait, does this really block all traffic? Seems a bit extreme.

upvoted 0 times

...

Gennie

4 months ago

Totally agree, default-deny is a must for security!

upvoted 0 times

...

Mel

4 months ago

Just a reminder, the command to switch context is `kubectl config use-context dev`.

upvoted 0 times

...

Kayleigh

4 months ago

I feel like I’ve seen the command to apply the policy before, but I hope I remember the right file name when I apply it.

upvoted 0 times

...

Alpha

4 months ago

I’m a bit confused about the difference between Ingress and Egress in the policy. Do I really need to list both types in the spec?

upvoted 0 times

...

Gerardo

5 months ago

I think we did a similar question where we had to deny traffic in a namespace. I just need to make sure I apply it correctly after editing the YAML file.

upvoted 0 times

...

Carylon

5 months ago

I remember we practiced creating a default-deny NetworkPolicy, but I’m not sure if I need to specify any pod selectors or just leave it empty.

upvoted 0 times

...

Brett

5 months ago

I'm feeling confident about this one. I'll create the NetworkPolicy, set the correct namespace, and apply it to the test environment. Should be a straightforward task.

upvoted 0 times

...

Lorita

5 months ago

This seems like a pretty standard NetworkPolicy task. I'll follow the steps outlined in the question and use the provided skeleton file to get it done.

upvoted 0 times

...

Leonida

5 months ago

Okay, I think I've got a good understanding of what I need to do. I'll create the NetworkPolicy, making sure to deny both Ingress and Egress traffic, and apply it to the test namespace.

upvoted 0 times

...

Rebeca

5 months ago

Hmm, I'm a bit unsure about the exact syntax for the NetworkPolicy. Let me double-check the documentation to make sure I get the details right.

upvoted 0 times

...

Kayleigh

5 months ago

This looks straightforward. I'll create the NetworkPolicy manifest file based on the provided skeleton and apply it to the test namespace.

upvoted 0 times

...

Svetlana

5 months ago

I think the concept we need here is related to access control, but did we ever cover "Deny URL"? That sounds familiar too.

upvoted 0 times

...

Albert

1 year ago

Hold on, let me double-check the NetworkPolicy syntax. Ah, got it! This is a classic Kubernetes networking question. Time to put my skills to the test.

upvoted 0 times

Lajuana

1 year ago

User2

upvoted 0 times

...

Brandee

1 year ago

User1

upvoted 0 times

...

Matthew

1 year ago

Yes, following the steps in the reference link can guide us through the process.

upvoted 0 times

...

Kenneth

1 year ago

I agree, but the explanation provided with the manifest file is helpful.

upvoted 0 times

...

German

1 year ago

Haha, this is like a walk in the park. The trick is to remember that a default-deny NetworkPolicy is the way to go when there's no other policy defined. Just follow the steps and you're golden.

upvoted 0 times