CKS Question #12: Real Exam Question with Answer & Explanation

Question

Only allow the following Pods to connect to Pod users-service: - Pods in the namespace qa - Pods with label environment: testing, in any namespace Make sure to apply the NetworkPolicy. You can find a skeleton manifest file at /home/candidate/KSSH00301/network-policy.yaml

Explanation

This question tests your ability to write and apply a Kubernetes NetworkPolicy that restricts ingress traffic to a target Pod using both namespace-level and pod-label-level selectors combined with OR logic.

Approach. The NetworkPolicy must target the users-service Pod via podSelector and define two separate ingress.from rules (using distinct - list entries so they are OR'd, not AND'd). Rule 1 uses a namespaceSelector matching kubernetes.io/metadata.name: qa to allow all Pods from the qa namespace. Rule 2 uses BOTH namespaceSelector: {} (empty = all namespaces) AND podSelector: {matchLabels: {environment: testing}} in the same list entry (AND logic) to allow Pods labeled environment: testing from any namespace. Finally, kubectl apply -f /home/candidate/KSSH00301/network-policy.yaml must be run to enforce the policy. A common mistake is placing both selectors as separate - items inside a single from block, which would AND them incorrectly, or omitting namespaceSelector: {} on rule 2, which would restrict matches to only the same namespace as the policy.

Concept tested. Kubernetes NetworkPolicy ingress rules - namespaceSelector vs podSelector, AND-vs-OR selector composition within from blocks, and cross-namespace traffic control

Reference. https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors

No community discussion yet for this question.