Question 20
Domain 1: Application Design and BuildIn namespace `q07`, how should you fix the Pod labels so the existing NetworkPolicies allow `frontend` → `backend` → `database` communication without modifying the policies?
Correct answer: A
Explanation
NetworkPolicies select Pods by label, so the Pods must match the labels the existing policies expect. Setting "role=frontend", "role=backend", and "role=db" aligns each Pod with the intended traffic path, allowing "frontend" → "backend" → "database" communication without changing the policies.
Why each option is right or wrong
A. Label the Pods as `frontend: role=frontend`, `backend: role=backend`, and `database: role=db`
Under Kubernetes NetworkPolicy, pod selection is driven by the policy’s `podSelector` labels, and ingress/egress rules only apply to Pods whose labels match those selectors. In this namespace, the existing policies are evidently written to match `role=frontend`, `role=backend`, and `role=db`, so relabeling the Pods to those exact values makes the traffic path eligible without altering any policy objects.
B. Change the `deny-all` NetworkPolicy to allow all Pod-to-Pod traffic
C. Add an annotation to each Pod matching the NetworkPolicy selectors
D. Set all three Pods to `role=app` so they share the same label