ssh ckad00018
You cannot create/modify/delete any NetworkPolicy.
So the only way to make the existing policies “take effect” is to ensure the right Pods have the labels/selectors those policies expect.
The task: in namespace charming-macaw, configure things so the target Pod can send + receive traffic ONLY to/from Pods front and db.
1) Inspect what NetworkPolicies already exist (don’t change them)
kubectl -n charming-macaw get netpol
kubectl -n charming-macaw get netpol -o wide
Dump them to see the selectors they use:
kubectl -n charming-macaw get netpol -o yaml
You are looking for policies that:
select the restricted pod via spec.podSelector
and allow ingress/egress only with selectors that match front and db
often there’s also a “default deny” policy.
2) Identify the Pods and their current labels
kubectl -n charming-macaw get pods -o wide
kubectl -n charming-macaw get pods --show-labels
Specifically inspect labels for front and db:
kubectl -n charming-macaw get pod front --show-labels
kubectl -n charming-macaw get pod db --show-labels
(If they’re Deployments instead of single Pods, do:)
kubectl -n charming-macaw get deploy --show-labels
kubectl -n charming-macaw get pods -l app=front --show-labels
kubectl -n charming-macaw get pods -l app=db --show-labels
3) Figure out which pod is “the Pod” to restrict
Usually there’s a third pod (e.g., backend, api, app) besides front and db.
List pods again and identify the “other” one:
kubectl -n charming-macaw get pods
Let’s assume the pod to restrict is called app (replace as needed):
TARGET=
4) Match the existing NetworkPolicy selectors by labeling pods (allowed)
Because you can’t edit NetworkPolicies, you must make labels on Pods (or their controllers) match the policies’ selectors.
4.1 Determine the label required on the TARGET pod
From the YAML, find the policy that selects the restricted pod, e.g.:
spec:
podSelector:
matchLabels:
role: restricted
Extract podSelector from each policy quickly:
kubectl -n charming-macaw get netpol -o jsonpath='{range .items[*]}{.metadata.name}{" => "}{.spec.podSelector}{"\n"}{end}'
Pick the selector that is meant for the restricted pod, then apply it to the TARGET pod (example: role=restricted):
kubectl -n charming-macaw label pod $TARGET role=restricted --overwrite
Best practice (if the pod is managed by a Deployment): label the Deployment template instead, so it persists.
Find the owner:
kubectl -n charming-macaw get pod $TARGET -o jsonpath='{.metadata.ownerReferences[0].kind}{" "}{.metadata.ownerReferences[0].name}{"\n"}'
If it’s a ReplicaSet, find its Deployment:
RS=$(kubectl -n charming-macaw get pod $TARGET -o jsonpath='{.metadata.ownerReferences[0].name}')
kubectl -n charming-macaw get rs $RS -o jsonpath='{.metadata.ownerReferences[0].kind}{" "}{.metadata.ownerReferences[0].name}{"\n"}'
Then label the Deployment (example):
kubectl -n charming-macaw label deploy role=restricted --overwrite
4.2 Ensure front and db match what the allow-rules reference
Look inside the allow policy ingress.from / egress.to. You might see something like:
from:
- podSelector:
matchLabels:
name: front
- podSelector:
matchLabels:
name: db
So you must ensure:
front pod has name=front
db pod has name=db
Apply labels (examples—use what the policy expects):
kubectl -n charming-macaw label pod front name=front --overwrite
kubectl -n charming-macaw label pod db name=db --overwrite
Again, if they’re Deployments, label the Deployment instead:
kubectl -n charming-macaw label deploy front name=front --overwrite
kubectl -n charming-macaw label deploy db name=db --overwrite
5) Verify the NetworkPolicies now “select” the right pods
Check which labels each pod has now:
kubectl -n charming-macaw get pods --show-labels
Confirm the restricted pod matches the NetPol podSelector:
kubectl -n charming-macaw get netpol -o jsonpath='{.spec.podSelector}{"\n"}'
kubectl -n charming-macaw get pod $TARGET --show-labels
6) Functional verification (quick network tests)
Exec into the restricted pod and try to reach:
front ✅ allowed
db ✅ allowed
anything else ❌ blocked
If busybox has wget:
kubectl -n charming-macaw exec -it $TARGET -- sh -c 'wget -qO- http://front 2 >/dev/null || true'
kubectl -n charming-macaw exec -it $TARGET -- sh -c 'wget -qO- http://db 2 >/dev/null || true'
Test something that should be blocked (example: kubernetes service DNS name):
kubectl -n charming-macaw exec -it $TARGET -- sh -c 'wget -qO- https://kubernetes.default.svc 2 >/dev/null || echo "blocked"'
Also test inbound (from front to target, and from db to target) if the target listens on a port; otherwise inbound testing may be limited.
What you’re doing conceptually
Existing NetPols are already correct.
Your job is to make pod labels match the NetPol selectors so:
default deny applies to the target
allow rules apply only between target ↔ front and target ↔ db
