Question 27
Domain 3: Services & NetworkingWhich set of NetworkPolicies correctly isolates the `shop` namespace so that frontend pods accept only port 80 traffic, backend pods accept only port 3000 traffic from frontend pods, and database pods accept only port 5432 traffic from backend pods?
Correct answer: A
Explanation
NetworkPolicies isolate traffic by matching pods with `podSelector` and restricting ingress with `ingress.from` and `ports`. This set matches the requirement: frontend pods allow only TCP/80 from any source, backend pods allow only TCP/3000 from pods labeled `tier=frontend`, and database pods allow only TCP/5432 from pods labeled `tier=backend`.
Why each option is right or wrong
A. Create three ingress NetworkPolicies in `shop`: one selecting `tier=frontend` with allowed ingress on TCP/80 from any source, one selecting `tier=backend` with allowed ingress on TCP/3000 only from pods labeled `tier=frontend`, and one selecting `tier=database` with allowed ingress on TCP/5432 only from pods labeled `tier=backend`.
Under Kubernetes NetworkPolicy API v1, ingress isolation is enforced per selected pod set using `spec.podSelector`, with allowed sources defined in `ingress.from` and allowed destinations constrained by `ingress.ports` (TCP port numbers are matched exactly). In the `shop` namespace, the frontend policy must select `tier=frontend` and allow only TCP/80 from any source, while the backend and database policies must each select their tier and restrict ingress to a single port—TCP/3000 from pods labeled `tier=frontend` and TCP/5432 from pods labeled `tier=backend`, respectively—so the three-policy combination is the only one that satisfies all three isolation rules simultaneously.
B. Create a single default-deny NetworkPolicy in `shop` and add egress rules on frontend, backend, and database pods to allow the required ports.
C. Create three ingress NetworkPolicies in `shop`: frontend allows TCP/80 from pods labeled `tier=backend`, backend allows TCP/3000 from any pod, and database allows TCP/5432 from any pod.
D. Create three ingress NetworkPolicies in `shop`: frontend allows all traffic, backend allows only TCP/3000 from frontend pods and database pods, and database allows only TCP/5432 from frontend pods.