diff --git a/content/en/docs/tasks/administer-cluster/declare-network-policy.md b/content/en/docs/tasks/administer-cluster/declare-network-policy.md index ed07e487fb941..3587aa28ef9aa 100644 --- a/content/en/docs/tasks/administer-cluster/declare-network-policy.md +++ b/content/en/docs/tasks/administer-cluster/declare-network-policy.md @@ -33,7 +33,7 @@ The above list is sorted alphabetically by product name, not by recommendation o To see how Kubernetes network policy works, start off by creating an `nginx` deployment. ```console -kubectl run nginx --image=nginx --replicas=2 +kubectl create deployment nginx --image=nginx ``` ```none deployment.apps/nginx created @@ -62,7 +62,6 @@ service/nginx 10.100.0.16 80/TCP 33s NAME READY STATUS RESTARTS AGE pod/nginx-701339712-e0qfq 1/1 Running 0 35s -pod/nginx-701339712-o00ef 1/1 Running 0 35s ``` ## Test the service by accessing it from another pod @@ -72,7 +71,7 @@ You should be able to access the new `nginx` service from other pods. To test, a Start a busybox container, and use `wget` on the `nginx` service: ```console -kubectl run busybox --rm -ti --image=busybox /bin/sh +kubectl run --generator=run-pod/v1 busybox --rm -ti --image=busybox -- /bin/sh ``` ```console @@ -97,7 +96,7 @@ metadata: spec: podSelector: matchLabels: - run: nginx + app: nginx ingress: - from: - podSelector: @@ -105,6 +104,13 @@ spec: access: "true" ``` +{{< note >}} + +In the case, the label `app=nginx` is automatically added. + +{{< /note >}} + + ## Assign the policy to the service Use kubectl to create a NetworkPolicy from the above nginx-policy.yaml file: @@ -121,7 +127,7 @@ networkpolicy.networking.k8s.io/access-nginx created If we attempt to access the nginx Service from a pod without the correct labels, the request will now time out: ```console -kubectl run busybox --rm -ti --image=busybox /bin/sh +kubectl run --generator=run-pod/v1 busybox --rm -ti --image=busybox -- /bin/sh ``` ```console @@ -140,7 +146,7 @@ wget: download timed out Create a pod with the correct labels, and you'll see that the request is allowed: ```console -kubectl run busybox --rm -ti --labels="access=true" --image=busybox /bin/sh +kubectl run --generator=run-pod/v1 busybox --rm -ti --labels="access=true" --image=busybox -- /bin/sh ``` ```console