Turn Your Vehicle Into a Smart Earning Asset

While you’re not driving your car or bike, it can still be working for you. MOTOSHARE helps you earn passive income by connecting your vehicle with trusted renters in your city.

🚗 You set the rental price
🔐 Secure bookings with verified renters
📍 Track your vehicle with GPS integration
💰 Start earning within 48 hours

It’s simple, safe, and rewarding. Your vehicle. Your rules. Your earnings.

URL – https://www.devopsschool.com/blog/kubernetes-cks-network-policy-example-code/

🔐 OpenShift NetworkPolicies Tutorial (with `httpd` in `test2` namespace)

🎯 Goal

You will:

✅ Deploy an httpd server
✅ Launch test clients to access it
✅ Apply NetworkPolicy to:

❌ Block all traffic
✅ Allow traffic only from specific labeled pods

🔧 Prerequisites

You already have:

httpd deployed using ImageStream (oc new-app httpd -n test2)
oc expose svc/httpd -n test2 run (optional, for browser access)

✅ Step-by-Step Guide

✅ Step 1: Check Internal Access to `httpd`

Create a PSA-compliant test pod and try connecting to the httpd service:

oc run test-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "test-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Inside the pod:

wget -qO- httpd

✅ This should return a response — all traffic is allowed by default.

Exit:

exit
Code language: PHP (php)

🚫 Step 2: Block All Ingress Traffic to `httpd`

Create a deny-all NetworkPolicy:

cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-to-httpd
spec:
  podSelector:
    matchLabels:
      deployment: httpd
  policyTypes:
    - Ingress
EOF

This blocks all ingress to httpd pods.

🔁 Step 3: Retest (Should Fail Now)

Run the same test-client pod again and try:

wget -qO- httpd

❌ It should now fail — because ingress to httpd is blocked.

Exit:

exit
Code language: PHP (php)

✅ Step 4: Allow Labeled Pods to Access `httpd`

Deploy a new client pod with access=allowed label:

oc run allowed-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  --labels="access=allowed" \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "allowed-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Now create a policy to allow only that pod label:

cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-allowed
spec:
  podSelector:
    matchLabels:
      deployment: httpd
  ingress:
    - from:
        - podSelector:
            matchLabels:
              access: allowed
  policyTypes:
    - Ingress
EOF
Code language: JavaScript (javascript)

Inside the pod:

wget -qO- httpd

✅ This should now succeed — because the pod is allowed.

Exit:

exit
Code language: PHP (php)

❌ Step 5: Verify Denial from Unlabeled Pods

Run another test pod without label:

oc run denied-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "denied-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Then:

wget -qO- httpd

❌ This should fail — the pod is not allowed by the NetworkPolicy.

Exit:

exit
Code language: PHP (php)

✅ Summary Table

Step	Result
No policy	All pods can access `httpd`
Deny-all policy	No pod can access `httpd`
Allow from `access=allowed`	Only labeled pods can access
Unlabeled pods	Access denied

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs: