DevOps · Flashcard

A Pod becomes 'isolated for ingress' when a NetworkPolicy selects it. What does this actually mean?

  • AAll ingress not explicitly allowed by any selecting policy is denied — the Pod switches from default-allow to default-deny
  • BThe Pod is moved into an isolated network namespace where it can only receive traffic from policy-matched sources
  • CThe Pod's network interface is reconfigured by the CNI to accept connections only on ports listed in the policy
  • DThe Pod still receives all traffic, but connections from non-matching sources are logged to the audit subsystem

Why this is the answer

Before any NetworkPolicy selects a Pod, it accepts all ingress traffic (non-isolated). Once any policy with Ingress in policyTypes selects it, the Pod becomes isolated: only traffic explicitly allowed by rules in any selecting policy is permitted. Everything else is denied.

Official docs
Study in Gnoseed →