CKS Exam Series #11 NetworkPolicies Default Deny and Allowlist
Kubernetes CKS Example Exam Question Series

#####################################
THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:
https://killercoda.com/killer-shell-cks
######################################
Content
- Create Cluster & Security Best Practices
- Pods, Secrets and ServiceAccounts
- Immutable Pods
- Crash that Apiserver & check logs
- ImagePolicyWebhook / AdmissionController
- Users and CertificateSigningRequests
- ServiceAccount Token Mounting
- Role Based Access Control (RBAC)
- Role Based Access Control (RBAC) v2
- Container Hardening
- NetworkPolicies (Default Deny + Allowlist)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
→ Check out the FULL CKS COURSE on Udemy ←
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rules!
- Be fast, avoid creating yaml manually from scratch
- Use only kubernetes.io/docs for help.
- Check our solution after you did yours. You probably have a better one!
Todays Task: Create a default deny NetworkPolicy and then allowlist more traffic
Test every of your polices.
- Create Namespace
applications
- By default, all Pods in Namespace
applications
should NOT be able to have any outgoing traffic - By default, all Pods in Namespace
applications
should still be able to use the Kubernetes DNS - Pods in Namespace
applications
with labelvery=important
should be able to have any outgoing traffic - Incoming traffic won’t be enforced by the NetworkPolicies
- Check out https://editor.cilium.io
Solution
1. Namespace
alias k=kubectlk create ns applications
To test we create a Pod:
k -n applications run test --image=nginxk -n applications exec test -- curl killer.sh # YESk -n applications exec test -- sh -c "apt-get update && apt-get -y install dnsutils" # to use nslookup
2. Egress Default Deny
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: applications
spec:
podSelector: {}
policyTypes:
- Egress
And to test:
k -n applications exec test -- nslookup killer.sh # NOping killer.sh # get IPk -n applications exec test -- curl killer.sh # NOk -n applications exec test -- curl 35.227.196.29 # NO
3. Allow DNS
We can adjust the existing NP or create another one. Here we create a new one.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: applications
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
And to test:
k -n applications exec test -- nslookup killer.sh # YESk -n applications exec test -- nslookup kubernetes.default # YESk -n applications exec test -- curl killer.sh # NOk -n applications exec test -- curl 35.227.196.29 # NO
4. Allow all egress for some Pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress
namespace: applications
spec:
podSelector:
matchLabels:
very: important
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
And to test:
k -n applications exec test -- curl killer.sh # NOk -n applications label pod test very=importantk -n applications exec test -- curl killer.sh # YES
5. Ignore ingress traffic
Nothing to do because we didn’t specify any NPs for ingress traffic.
6. NetworkPolicy editor
This one is awesome for learning and understanding, just remember that you can’t use it in the exam.
You have a different solution?
Let us know by writing a comment below!
— — — The END — — —
So much for this session. See you at the next one and happy learning!
Ready to join Killer Shell?
FULL CKS COURSE

…or the CKS SIMULATOR
