Join the discussion
Question 1/37
Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic
Correct Answer:
You can create a "default" isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
You can create a "default" egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-egress
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
Default deny all ingress and all egress traffic
You can create a "default" policy for a namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy in that namespace.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
You can create a "default" egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-egress
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
Default deny all ingress and all egress traffic
You can create a "default" policy for a namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy in that namespace.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.
Add Comments
- Other Question (37q)
- Q1. Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffi...
- Q2. You can switch the cluster/configuration context using the following command: [desk@cli] $...
- Q3. Context Your organization's security policy includes: ServiceAccounts must not automount A...
- Q4. SIMULATION Using the runtime detection tool Falco, Analyse the container behavior for at l...
- Q5. You must complete this task on the following cluster/nodes: Cluster: immutable-cluster Mas...
- Q6. Cluster: dev Master node: master1 Worker node: worker1 You can switch the cluster/configur...
- Q7. Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that 1. log...
- Q8. Analyze and edit the given Dockerfile FROM ubuntu:latest RUN apt-get update -y RUN apt-ins...
- Q9. Context: Cluster: prod Master node: master1 Worker node: worker1 You can switch the cluste...
- Q10. Create a PSP that will prevent the creation of privileged pods in the namespace. Create a ...
- Q11. Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised ...
- Q12. Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that 1. log...
- Q13. Given an existing Pod named test-web-pod running in the namespace test-system Edit the exi...
- Q14. SIMULATION Service is running on port 389 inside the system, find the process-id of the pr...
- Q15. Using the runtime detection tool Falco, Analyse the container behavior for at least 20 sec...
- Q16. Create a PSP that will only allow the persistentvolumeclaim as the volume type in the name...
- Q17. SIMULATION On the Cluster worker node, enforce the prepared AppArmor profile #include <...
- Q18. use the Trivy to scan the following images, 1. amazonlinux:1 2. k8s.gcr.io/kube-controller...
- Q19. Before Making any changes build the Dockerfile with tag base:v1 Now Analyze and edit the g...
- Q20. Fix all issues via configuration and restart the affected components to ensure the new set...
- Q21. On the Cluster worker node, enforce the prepared AppArmor profile #include <tunables/gl...
- Q22. SIMULATION Create a Pod name Nginx-pod inside the namespace testing, Create a service for ...
- Q23. You must complete this task on the following cluster/nodes: Cluster: apparmor Master node:...
- Q24. You can switch the cluster/configuration context using the following command: [desk@cli] $...
- Q25. Fix all issues via configuration and restart the affected components to ensure the new set...
- Q26. SIMULATION On the Cluster worker node, enforce the prepared AppArmor profile #include <...
- Q27. A container image scanner is set up on the cluster. Given an incomplete configuration in t...
- Q28. Cluster: dev Master node: master1 Worker node: worker1 You can switch the cluster/configur...
- Q29. Task Analyze and edit the given Dockerfile /home/candidate/KSSC00301/Docker file (based on...
- Q30. Cluster: qa-cluster Master node: master Worker node: worker1 You can switch the cluster/co...
- Q31. On the Cluster worker node, enforce the prepared AppArmor profile #include <tunables/gl...
- Q32. Cluster: qa-cluster Master node: master Worker node: worker1 You can switch the cluster/co...
- Q33. SIMULATION Given an existing Pod named test-web-pod running in the namespace test-system E...
- Q34. Analyze and edit the given Dockerfile FROM ubuntu:latest RUN apt-get update -y RUN apt-ins...
- Q35. A container image scanner is set up on the cluster. Given an incomplete configuration in t...
- Q36. Using the runtime detection tool Falco, Analyse the container behavior for at least 30 sec...
- Q37. You can switch the cluster/configuration context using the following command: [desk@cli] $...
