Linux Foundation CKS Exam - Topic 1 Question 13 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 13
Topic #: 1

[All CKS Questions]

Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic

AExplanation:
You can create a 'default' isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
You can create a 'default' egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-egress
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
Default deny all ingress and all egress traffic
You can create a 'default' policy for a namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy in that namespace.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.

Show Suggested Answer

Suggested Answer: A

by Glendora at May 05, 2022, 03:33 PM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Theola

5 months ago

This is a solid approach for security, no doubt!

upvoted 0 times

...

Svetlana

5 months ago

Sounds good, but what if we need some pods to talk later?

upvoted 0 times

...

Felicia

5 months ago

Wait, does that mean no pods can communicate at all?

upvoted 0 times

...

Vilma

5 months ago

Totally agree, that's the way to lock it down!

upvoted 0 times

...

Georgeanna

5 months ago

Just create a NetworkPolicy with empty podSelector to deny all traffic.

upvoted 0 times

...

Cassi

5 months ago

I'm a bit confused about the naming convention. Should we call it "deny-all" or something else? I feel like I saw different names in the examples.

upvoted 0 times

...

Andree

5 months ago

I believe we just need to set the podSelector to an empty object and specify both Ingress and Egress in policyTypes, right?

upvoted 0 times

...

Carlee

5 months ago

I remember practicing a similar question where we had to allow specific traffic, but this one feels different since we're denying everything.

upvoted 0 times

...

Lamar

6 months ago

I think we need to create a NetworkPolicy that denies both ingress and egress, but I'm not entirely sure about the syntax.

upvoted 0 times

...

Lindsay

6 months ago

Okay, I've got a good handle on Logstash's functionality. I think I can identify the three tasks it can fulfill without other Elastic Stack components.

upvoted 0 times

...

Micah

6 months ago

The high court's stamp duty valuation of 4.90 lakh seems important. I'll use that figure in my calculations, not the initial 5.75 lakh.

upvoted 0 times

...

Norah

6 months ago

Okay, the key here is the "boot identity not valid" error. That tells me I need to update the credentials in the boot identity file. Option B looks like the way to go.

upvoted 0 times

...