Question 7
Domain 3: Services & NetworkingWhich Kubernetes resource and rule combination is used to restrict cross-namespace pod traffic by labels and ports while still allowing DNS egress?
Correct answer: A
Explanation
Kubernetes NetworkPolicy is the resource used to control pod traffic by label selectors, including "podSelector" and "namespaceSelector" for cross-namespace ingress and egress filtering. To preserve name resolution, the policy must also include an egress rule allowing DNS traffic, typically UDP port 53 to kube-dns.
Why each option is right or wrong
A. NetworkPolicy with namespaceSelector/podSelector-based ingress and egress rules plus an egress rule allowing UDP 53 to kube-dns
Kubernetes enforces pod-level traffic isolation with a NetworkPolicy, and the selectors that make cross-namespace filtering possible are `namespaceSelector` and `podSelector` in the ingress/egress peer fields under the `networking.k8s.io/v1` API. Because a policy with `policyTypes: [Ingress, Egress]` defaults to denying all other matching traffic, the DNS exception must be stated explicitly as an egress rule permitting UDP port 53 to the kube-dns service/pods; otherwise name resolution is blocked even if the label-based pod restrictions are correct.
B. RoleBinding with ServiceAccount selectors and NodePort rules to limit pod-to-pod traffic
C. PodSecurityPolicy with affinity rules and ClusterIP services to enforce namespace isolation
D. IngressClass with path-based routing and ConfigMap-mounted DNS settings