Challenge, Medium,  on  KubernetesNetworking

Enforce a NetworkPolicy to Block All Traffic Except DNS

Scenario

A Pod named isolated exists in namespace netpol-demo2 with label app=isolated. Your organization requires this Pod to be fully isolated from the cluster network.

Task

Create a NetworkPolicy named isolate-pod that applies to the isolated Pod with the following rules:

  • Deny all incoming traffic to the Pod
  • Block all outgoing traffic from the Pod, except DNS queries on port 53 using both UDP and TCP
  • Verify from the isolated Pod that DNS resolution for the Service nginx-svc.default works using nslookup.
kubectl exec isolated -n netpol-demo2 -- \
nslookup nginx-svc.default.svc.cluster.local   
# ==> Return the ClusterIP of nginx-svc from the default namespace.

kubectl exec isolated -n netpol-demo2 -- \
wget -qO- --timeout=5 http://nginx-svc.default.svc.cluster.local  
# ==> Attempt to connect to nginx-svc — connection refused
Hint 1

DNS queries use port 53. Without allowing DNS egress, the Pod cannot resolve any Service names — even nslookup will fail. Both UDP and TCP must be allowed on port 53 because DNS uses UDP by default but falls back to TCP for large responses.

Use podSelector with matchLabels: app: isolated to target the Pod. Name the NetworkPolicy isolate-pod. Set policyTypes to both Ingress and Egress. Leave the ingress field empty to deny all incoming traffic. Under egress, each protocol must be its own entry with both port: 53 and protocol set together:

egress:
- ports:
  - port: 53
    protocol: UDP
  - port: 53
    protocol: TCP

See the official docs: Network Policies

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge enforce-networkpolicy-to-block-all-traffic-except-dns-a8b3855c

This will create a local copy of the challenge content in a directory named enforce-networkpolicy-to-block-all-traffic-except-dns-a8b3855c. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge enforce-networkpolicy-to-block-all-traffic-except-dns-a8b3855c

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge