Core Track Guardrails-first chapter in core learning path.

Estimated Time

  • Reading: 20-25 min
  • Lab: 45-60 min
  • Quiz: 10-15 min

Prerequisites

Source Code References

  • allow-backend-ingress.yaml Members
  • allow-dns-egress.yaml Members

Sign in to view source code.

What You Will Produce

A reproducible lab result plus quiz verification and incident-safe operating evidence.

Core Exercises (Required)

  1. Isolation Drill: Apply the default-deny-all policy to the develop namespace. Try to curl the Backend from the Frontend. Verify that it times out.
  2. Restore Access: Apply the allow-backend-ingress and allow-dns-egress policies. Verify that the Frontend can now reach the Backend again.
  3. Cross-Namespace Check: Try to reach a service in the production namespace from a pod in develop. Verify that the connection is blocked.
  4. Debug Failure: Intentionally mislabel a pod and use the Blocked Traffic Triage Playbook to identify why its traffic is being dropped.

Challenge Exercise (Optional)

NetworkPolicy From Scratch: Write a complete NetworkPolicy from scratch for a hypothetical new microservice that needs ingress from Traefik and egress to the backend, without referencing existing policy templates.

Done When

You have completed this chapter when:

  • You can apply a default-deny-all policy without losing control of the environment.
  • You have successfully enabled DNS and Ingress traffic for a workload.
  • You can debug and explain blocked traffic using pod events and kubectl.
  • You can explain the risk of “lateral movement” in a flat network.

Knowledge Check

Before finishing this chapter, complete the Quiz to verify your understanding of the guardrail principles.