Question 37
Domain 3: Services & NetworkingWhich NetworkPolicy behavior is required to allow only pods in namespace `internal` on port 9200 to access pods in `namespace-netpol`, while denying 9200 traffic from other namespaces?
Correct answer: A
Explanation
A NetworkPolicy controls ingress by selecting the destination pods and defining allowed sources and ports. To allow only pods in namespace "internal" on port 9200, the policy must be created in "namespace-netpol" to select those pods and permit ingress only from that namespace on TCP 9200, which blocks the same port from all other namespaces.
Why each option is right or wrong
A. Create a NetworkPolicy in `namespace-netpol` that selects the target pods and allows ingress only from pods in namespace `internal` on TCP port 9200.
Under the Kubernetes NetworkPolicy API, ingress rules are enforced on the pods selected by the policy’s `podSelector` in the policy’s own namespace, and traffic is allowed only when it matches an `ingress.from` peer and `ports` entry. To meet the stated condition, the policy must live in `namespace-netpol`, select the destination pods there, and include a peer restricted to namespace `internal` plus `port: 9200` with `protocol: TCP`; any other namespace is then denied by default for that selected traffic because it is not listed in the allowed ingress peers.
B. Create a ClusterRoleBinding to permit all pods on port 9200 across the cluster to reach `namespace-netpol`.
C. Create a Service of type ClusterIP on port 9200 and expose it only to the `internal` namespace.
D. Create an egress-only NetworkPolicy in `internal` that allows traffic to port 9200 in `namespace-netpol`.