CKS Question #15: Real Exam Question with Answer & Explanation

This question tests your ability to create a Kubernetes NetworkPolicy that acts as a default deny-all firewall for all pods in a given namespace, blocking both inbound and outbound traffic.

Submitted by devops_kid· May 4, 2026Cluster Hardening

Question

Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic

Explanation

This question tests your ability to create a Kubernetes NetworkPolicy that acts as a default deny-all firewall for all pods in a given namespace, blocking both inbound and outbound traffic.

Approach. Apply the following manifest using kubectl apply -f or kubectl create: set apiVersion: networking.k8s.io/v1, kind: NetworkPolicy, metadata.name: deny-all, and metadata.namespace: testing. In the spec, use an empty podSelector: {} to select ALL pods in the namespace, and set policyTypes: [Ingress, Egress]. Crucially, omit both the ingress and egress rule arrays entirely - when a policy type is listed but has no corresponding rules, Kubernetes treats it as 'deny all' for that direction. The resulting YAML is:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: testing
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Concept tested. Kubernetes NetworkPolicy - default deny-all pattern using an empty podSelector and policyTypes without ingress/egress rules to block all traffic for all pods in a namespace.

Reference. https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-and-all-egress-traffic

Topics

#Kubernetes#NetworkPolicy#Network Security#Ingress/Egress

Community Discussion

No community discussion yet for this question.

Full CKS Practice Browse All CKS Questions