Kubernetes CKA sample exam question 71 with answer

Question
There was a security incident where an intruder were able to access the whole cluster from a single hacked backend Pod.
To prevent this create a NetworkPolicy called np-backend in Namespace project-snake. It should allow the backend-* Pods only to:

• connect to db1-* Pods on port 1111
• connect to db2-* Pods on port 2222

Use the app label of Pods in your policy.

Answer
Get the pods in namespace project-snake with labels:

kubectl -n project-snake get po --show-labels

they will be needed at the next step.
Contsruct netpol object:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np-backend
  namespace: project-snake
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: db1
    ports:
    - port: 1111
  - to:
    - podSelector:
        matchLabels:
          app: db2
    ports:
    - port: 2222

Apply netpol and verify:

kubectl apply -f netpol.yaml
kubectl -n project-snake describe netpol np-backend