1
00:00:00,210 --> 00:00:06,750
This is the solution video for the Network Policies Lab. So for the first question, we have to identify

2
00:00:06,750 --> 00:00:09,480
the number of network policies in the environment.

3
00:00:11,210 --> 00:00:17,960
To do this, let's go to the terminal and type cubicle, get netball, which is short for network policy.

4
00:00:22,870 --> 00:00:28,660
And here we can see that there is a single network policy in the default namespace by the name of payroll

5
00:00:28,660 --> 00:00:29,530
Dasch policy.

6
00:00:31,910 --> 00:00:33,230
So the answer is one.

7
00:00:35,310 --> 00:00:37,050
What is the name of the new policy?

8
00:00:37,410 --> 00:00:39,420
It is payroll tax policy.

9
00:00:41,810 --> 00:00:50,150
Which part is the network policy applied on to here we can see the port selecter, which is name is

10
00:00:50,150 --> 00:00:57,560
equal to payroll, so let's use it will get pots and check the label of the port, which is using the

11
00:00:57,560 --> 00:00:58,510
specific label.

12
00:01:01,910 --> 00:01:04,010
So for will use the shell option

13
00:01:07,250 --> 00:01:13,220
and along with that will provide the label name as equal to payroll and hear the name of the port,

14
00:01:13,340 --> 00:01:17,690
but with the specific label as payroll itself.

15
00:01:17,700 --> 00:01:19,510
So let's select that as our answer.

16
00:01:23,810 --> 00:01:31,310
What type of traffic is this network policy configured to handle to find us, let us run still describe

17
00:01:31,310 --> 00:01:32,270
network policy.

18
00:01:38,770 --> 00:01:45,280
And in here, we should be able to see the policy type, which is used for policy type as ingress.

19
00:01:45,280 --> 00:01:51,220
And again, here you can see the pod selector here as well, which is using the label name is called

20
00:01:51,220 --> 00:01:51,640
Aperol.

21
00:01:52,210 --> 00:02:00,430
But the type of policy that this configuration uses as the ingress type, as you can see, it's not

22
00:02:00,430 --> 00:02:02,050
affecting egress traffic.

23
00:02:05,020 --> 00:02:06,340
So the answer is in increase.

24
00:02:09,100 --> 00:02:12,580
What is the impact of the rule configured on this policy?

25
00:02:14,070 --> 00:02:21,900
So let's go back and we already know that this is an insurance policy and it is allowing increased traffic

26
00:02:22,200 --> 00:02:31,320
to port at the port from the port or the port selecter, which has the label name as equal to internal.

27
00:02:31,350 --> 00:02:39,210
So it's allowing traffic from a board with this label name is equal to Internal to Port 880 on the port,

28
00:02:39,540 --> 00:02:42,960
which has the label payroll, which is the port by the name of payroll.

29
00:02:42,970 --> 00:02:48,660
So let's identify the port, which has the label name, as you called the internal.

30
00:02:53,430 --> 00:02:56,890
And here you can see that the name of the pot is internal as well.

31
00:02:58,200 --> 00:02:59,280
So traffic.

32
00:03:00,790 --> 00:03:07,360
From Internal to Peyrol Borders blog, that strong traffic from internal to payroll borders.

33
00:03:07,630 --> 00:03:08,770
So that's a great option.

34
00:03:14,090 --> 00:03:18,970
What is the impact of the rule configured on those network policy, so we already figured that out internal

35
00:03:18,980 --> 00:03:23,480
pod can access Port 88 on the payroll pod, so that's a great option.

36
00:03:27,340 --> 00:03:31,180
Access the UI of these applications using the link above the terminal.

37
00:03:31,210 --> 00:03:33,110
So let's go and check that out.

38
00:03:33,400 --> 00:03:35,860
So there are two tabs here.

39
00:03:35,890 --> 00:03:39,290
One is for the external portal and the other one is for internal portal.

40
00:03:39,310 --> 00:03:41,990
So let's open those up, make sure that it's working.

41
00:03:46,160 --> 00:03:51,710
And here we can run connectivity to so yeah, we are able to open these two portals.

42
00:03:53,970 --> 00:03:59,490
Perform a connectivity test using the user interface and these applications to access DiPiero service

43
00:03:59,490 --> 00:04:00,870
are at 8:00.

44
00:04:00,910 --> 00:04:01,740
So let's use.

45
00:04:03,330 --> 00:04:07,170
The service name and test on both the poodle's.

46
00:04:13,300 --> 00:04:19,260
And you can see that we are getting a successful connectivity test from the Internet facing application,

47
00:04:20,710 --> 00:04:23,890
let's do the same for the external facing application.

48
00:04:28,530 --> 00:04:34,260
And this one is coming out, so let's check for the correct option, only internal application can access

49
00:04:34,260 --> 00:04:35,130
the burial service.

50
00:04:35,220 --> 00:04:36,120
That is correct.

51
00:04:38,740 --> 00:04:44,680
Perform a connectivity test using the user interface of the internal application to access the external

52
00:04:44,680 --> 00:04:45,970
service I bought.

53
00:04:46,810 --> 00:04:50,970
So, again, this has to be run in the internal portal.

54
00:04:51,910 --> 00:04:53,410
So let me copy this.

55
00:04:56,420 --> 00:05:01,760
And here, we'll test for external service.

56
00:05:03,090 --> 00:05:05,180
And that is successful as well.

57
00:05:06,660 --> 00:05:13,770
So it is successful, so from the internal part, we know that we are able to connect to put 88 on the

58
00:05:13,770 --> 00:05:21,300
parole board, but it is also allowing connectivity to the external port on board 880 so that successful.

59
00:05:23,720 --> 00:05:30,530
And the next question, we have to create a network policy to allow traffic from the internal application

60
00:05:30,950 --> 00:05:37,610
only to the payroll service and delivery service from the internal application, we have already opened

61
00:05:37,880 --> 00:05:39,170
the connectivity to.

62
00:05:40,260 --> 00:05:46,920
Payroll board and should also allow connectivity to DV service, which is about three three zero six

63
00:05:46,920 --> 00:05:50,050
part to extoll part, it should be blocked.

64
00:05:50,970 --> 00:05:54,790
So this has to be an egress type policy.

65
00:05:55,740 --> 00:06:03,210
The name of the policy should be internal policy egressed allow should be to parole and to DV and it

66
00:06:03,210 --> 00:06:06,570
should block egress to the external pod.

67
00:06:08,770 --> 00:06:16,750
So the connectivity, this connectivity to excellent service on board, it should not be allowed.

68
00:06:16,780 --> 00:06:22,240
So that's what we are trying to block by creating an egress type network policy.

69
00:06:24,360 --> 00:06:27,900
So for this, we'll make use of it as documentation.

70
00:06:28,320 --> 00:06:34,140
There is no straightforward way to create a network policy using imperative comments, so we'll have

71
00:06:34,140 --> 00:06:37,470
to rely on the documentation and use the examples provided there.

72
00:06:39,440 --> 00:06:48,710
So we just type in network policy and it should come up with the result, the first one as the most

73
00:06:48,710 --> 00:06:52,910
appropriate one, it has examples of network policy template here.

74
00:06:53,270 --> 00:06:55,940
So we can copy this exact same example.

75
00:06:57,880 --> 00:07:06,970
And we will modify it to suit our needs, so we just need to create this policy for egress, so remove

76
00:07:06,970 --> 00:07:08,410
everything related to injuries.

77
00:07:08,450 --> 00:07:09,760
I'm just going to copy it.

78
00:07:13,110 --> 00:07:18,230
And the name of the policy letters name the file with the same one as well.

79
00:07:18,240 --> 00:07:20,310
So it's called internal US policy.

80
00:07:28,320 --> 00:07:30,360
I'm just going to sit here.

81
00:07:32,550 --> 00:07:39,160
And let's start making changes, so let's see if this policy has a name, the policy name is also yeah,

82
00:07:39,210 --> 00:07:41,070
obviously it is internal policy.

83
00:07:41,070 --> 00:07:42,060
So let's change that.

84
00:07:51,360 --> 00:07:57,660
And we know that this is an egressed type of policy on the internal part, so will change the match

85
00:07:57,660 --> 00:08:00,540
labels to name as a call to internal.

86
00:08:01,200 --> 00:08:03,720
We have already checked the label for this earlier.

87
00:08:06,920 --> 00:08:15,170
And this is an Eagles only policy, so I'm going to remove ingress and let's remove the ingress section

88
00:08:15,170 --> 00:08:15,500
here.

89
00:08:20,040 --> 00:08:23,460
And let's keep the egress one.

90
00:08:26,720 --> 00:08:28,370
So we don't need the IP block.

91
00:08:31,950 --> 00:08:39,360
All right, so now we have a template and we can use this to update our configuration.

92
00:08:39,960 --> 00:08:44,280
OK, so underneath this we will define the pods, the pod selector.

93
00:08:44,310 --> 00:08:46,080
So, again, let's go back to the example.

94
00:08:47,100 --> 00:08:49,940
So I'm just going to copy the pod selector here.

95
00:08:49,950 --> 00:08:55,530
So the first one will use us for the MySQL, but let's just copy the template again.

96
00:09:01,250 --> 00:09:04,760
Support for my sequel should be three three zero six.

97
00:09:08,590 --> 00:09:13,540
And let's take the service name and the label for the mythical part.

98
00:09:17,950 --> 00:09:23,860
So my sequel part has a label of name, a sequel to my sequel, so let's update that.

99
00:09:30,490 --> 00:09:38,770
And similarly, let us also add the egressed to payroll, so I'm just going to copy paste, the easiest

100
00:09:38,770 --> 00:09:41,350
way is to cad the same file.

101
00:09:44,070 --> 00:09:49,630
And right, click select, right, click, copy and paste.

102
00:09:49,650 --> 00:09:52,560
So that's one easy way of doing it.

103
00:09:53,700 --> 00:09:56,120
So I'm just going to repeat the same thing.

104
00:10:00,420 --> 00:10:01,020
So this.

105
00:10:02,340 --> 00:10:04,680
I'll have to add another tuffield here.

106
00:10:11,440 --> 00:10:17,420
Make sure that it is correctly indented so the need for this should be.

107
00:10:17,710 --> 00:10:19,660
We already know that it should be Peyro.

108
00:10:25,280 --> 00:10:28,730
The port should be DCP Port at 80.

109
00:10:35,670 --> 00:10:43,560
So egoless, allow Peyrol put it 80 egoless Lomis equal or two three three zero six, so that looks

110
00:10:43,560 --> 00:10:44,040
correct.

111
00:10:45,030 --> 00:10:49,560
So we are allowing egress from the internal port.

112
00:10:51,030 --> 00:10:57,950
Only to the parole and the report, and it's cutting out the connectivity to everything else, so this

113
00:10:57,960 --> 00:11:01,690
connection here should not work anymore once we apply the policy.

114
00:11:02,220 --> 00:11:07,410
Another thing to note is that sometimes Adina's resolution might fail from the internal part because

115
00:11:07,410 --> 00:11:13,560
it's not able to raise the cube DNS servers on DCP and jury people 53.

116
00:11:13,570 --> 00:11:17,450
So if that happens, that's something that you'll have to add in as well.

117
00:11:17,880 --> 00:11:26,970
But just for the sake of this test, where we are adding to egressed rules to effectively allow communication

118
00:11:26,970 --> 00:11:30,540
only to the MySQL and the parole board, there should be enough.

119
00:11:30,570 --> 00:11:33,840
So let's see if this has been created correctly.

120
00:11:33,840 --> 00:11:37,620
So we'll try to create this network policy now.

121
00:11:40,330 --> 00:11:43,310
Let's see if that worked, so, yeah, it looks like it did work.

122
00:11:43,330 --> 00:11:45,070
Let's turn to Cuba, still describe.

123
00:11:50,230 --> 00:11:57,340
And here you can see that the egress policy type is in effect, there are two egress traffic's one as

124
00:11:57,340 --> 00:12:01,720
to the mythical port and the port is three three zero six.

125
00:12:01,730 --> 00:12:04,530
The other one is espero to 880.

126
00:12:04,530 --> 00:12:06,220
So these two are to allow rules.

127
00:12:06,220 --> 00:12:09,520
So let's check and see if that was created correctly.

128
00:12:11,330 --> 00:12:13,370
And was so that was the last question.

129
00:12:13,400 --> 00:12:15,450
Thank you for joining me in this solution video.

130
00:12:15,470 --> 00:12:16,730
I'll see you in the next one.