Chapter 2, “Cluster Setup”

1. Create a file with the name deny-egress-external.yaml for defining the network policy. The network policy needs to set the Pod selector to app=backend and define the Egress policy type. Make sure to allow the port 53 for the protocols UDP and TCP. The namespace selector for the egress policy needs to use {} to select all namespaces:

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: deny-egress-external
   spec:
     podSelector:
       matchLabels:
         app: backend
     policyTypes:
     - Egress
     egress:
     - to:
       - namespaceSelector: {}
       ports:
       - port: 53
         protocol: UDP
       - port: 53
         protocol: TCP

   Run the apply command to instantiate the network policy object from the YAML file:

   $ kubectl apply -f deny-egress-external.yaml

2. A Pod that does not match the label selection of the network policy can make a call to a URL outside of the cluster. In this case, the label assignment is app=frontend:

   $ kubectl run web --image=busybox:1.36.0 -l app=frontend --port=80 -it \
     --rm --restart=Never -- wget http://google.com --timeout=5 --tries=1
   Connecting to google.com (142.250.69.238:80)
   Connecting to www.google.com (142.250.72.4:80)
   saving to /'index.html'
   index.html           100% |**| 13987 \
   0:00:00 ETA
   /'index.html' saved
   pod "web" deleted

3. A Pod that does match the label selection of the network policy cannot make a call to a URL outside of the cluster. In this case, the label assignment is app=backend:

   $ kubectl run web --image=busybox:1.36.0 ...