Question 30
Cloud Native ArchitectureIn Kubernetes, how is a NetworkPolicy enforced?
Correct answer: B
Explanation
Kubernetes NetworkPolicy is not enforced by the core control plane; it depends on the container network interface implementation. If the CNI plugin supports NetworkPolicy, it applies the rules; otherwise the policy is "silently ignored" because Kubernetes has no built-in enforcement without CNI support.
Why each option is right or wrong
A. It is enforced automatically by the API server for all pods, regardless of the networking plugin in use.
B. It is enforced by the CNI plugin, and it is silently ignored if the CNI does not support NetworkPolicy.
Kubernetes NetworkPolicy objects are only API resources; the Kubernetes control plane does not implement packet filtering itself. Enforcement is delegated to the CNI plugin, and the official NetworkPolicy specification notes that a policy has effect only when the networking implementation supports it—otherwise the object is accepted but not enforced, with no error or fallback behavior.
C. It only applies to ingress traffic and has no effect on egress traffic.
D. It replaces RBAC by controlling which users can access Kubernetes resources.