Challenge, Medium,  on  KubernetesSecurityNetworking

Control Cross-Namespace Traffic Using NetworkPolicy

Scenario

A multi-tier application runs across two namespaces: application-tier and database-tier. Both namespaces are labeled so NetworkPolicies can select them by name.

Currently there are no restrictions. Any Pod can talk to any other Pod across namespaces. Your task is to lock this down.

Task

Create two NetworkPolicies:

1. deny-ingress-app in application-tier — applies to all Pods. Denies all ingress traffic. No Pod from any namespace can reach Pods inside application-tier.

2.allow-app-to-db in database-tier — applies to all Pods in database-tier. Allows ingress only from Pods in the application-tier namespace. All other namespaces are blocked. Use a namespaceSelector with label name=application-tier to match the source namespace.

# verify app-pod can reach db-pod
kubectl exec -n application-tier app-pod -- \
  wget -qO- http://db-pod.database-tier.svc.cluster.local:80

# verify db-pod cannot reach app-pod
kubectl exec -n database-tier db-pod -- \
  wget -qO- --timeout=3 http://app-pod.application-tier.svc.cluster.local:80
Hint

For deny-ingress-app: set policyTypes: [Ingress] with no ingress rules — this denies all ingress.

For allow-app-to-db: use ingress[].from[].namespaceSelector matching name=application-tier.

See: Network Policies

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge control-cross-namespace-traffic-using-networkPolicy-d85f764c

This will create a local copy of the challenge content in a directory named control-cross-namespace-traffic-using-networkPolicy-d85f764c. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge control-cross-namespace-traffic-using-networkPolicy-d85f764c

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge