专栏首页云计算与大数据K8S namespace calico network policy

K8S namespace calico network policy

Configure namespaces

This guide will deploy pods in a Kubernetes namespace. Let’s create the Namespace object for this guide.

kubectl create ns policy-demo

Create demo pods

We’ll use Kubernetes Deployment objects to easily create pods in the namespace.

  1. Create some nginx pods in the policy-demo namespace. kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx
  2. Expose them through a service. kubectl expose --namespace=policy-demo deployment nginx --port=80
  3. Ensure the nginx service is accessible. kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh This should open up a shell session inside the access pod, as shown below. Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false If you don't see a command prompt, try pressing enter. / #
  4. From inside the access pod, attempt to reach the nginx service. wget -q nginx -O - You should see a response from nginx. Great! Our service is accessible. You can exit the pod now.

Enable isolation

Let’s turn on isolation in our policy-demo namespace. Calico will then prevent connections to pods in this namespace.

Running the following command creates a NetworkPolicy which implements a default deny behavior for all pods in the policy-demonamespace.

kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny
  namespace: policy-demo
spec:
  podSelector:
    matchLabels: {}
EOF

Test Isolation

This will prevent all access to the nginx service. We can see the effect by trying to access the service again.

kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh

This should open up a shell session inside the access pod, as shown below.

Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false

If you don't see a command prompt, try pressing enter.

/ #

Now from within the busybox access pod execute the following command to test access to the nginx service.

wget -q --timeout=5 nginx -O -

The request should time out after 5 seconds.

wget: download timed out
/ #

By enabling isolation on the namespace, we’ve prevented access to the service.

Allow access using a network policy

Now, let’s enable access to the nginx service using a NetworkPolicy. This will allow incoming connections from our access pod, but not from anywhere else.

Create a network policy access-nginx with the following contents:

kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: access-nginx
  namespace: policy-demo
spec:
  podSelector:
    matchLabels:
      run: nginx
  ingress:
    - from:
      - podSelector:
          matchLabels:
            run: access
EOF

Note: The NetworkPolicy allows traffic from Pods with the label run: access to Pods with the label run: nginx. These are the labels automatically added to Pods started via kubectl run based on the name of the Deployment.

We should now be able to access the service from the access pod.

kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh

This should open up a shell session inside the access pod, as shown below.

Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false

If you don't see a command prompt, try pressing enter.

/ #

Now from within the busybox access pod execute the following command to test access to the nginx service.

wget -q --timeout=5 nginx -O -

However, we still cannot access the service from a pod without the label run: access. We can verify this as follows.

kubectl run --namespace=policy-demo cant-access --rm -ti --image busybox /bin/sh

This should open up a shell session inside the cant-access pod, as shown below.

Waiting for pod policy-demo/cant-access-472357175-y0m47 to be running, status is Pending, pod ready: false

If you don't see a command prompt, try pressing enter.

/ #

Now from within the busybox cant-access pod execute the following command to test access to the nginx service.

wget -q --timeout=5 nginx -O -

The request should time out.

wget: download timed out
/ #

You can clean up the demo by deleting the demo namespace.

kubectl delete ns policy-demo

This was just a simple example of the Kubernetes NetworkPolicy API and how Calico can secure your Kubernetes cluster. For more information on network policy in Kubernetes, see the Kubernetes user-guide.

For a slightly more detailed demonstration of policy, check out the stars demo.

demo: https://docs.projectcalico.org/v3.6/security/stars-policy/

本文分享自微信公众号 - 黑洞日志(heidcloud)

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2019-03-18

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • Can not login after change limits.conf

    https://serverfault.com/questions/836929/can-not-login-after-change-limits-conf

    heidsoft
  • Understanding Kubernetes Kube-Proxy

    Kubernetes is a complicated system with multiple components interacting with eac...

    heidsoft
  • Configuring Spring Boot's Server, GZip compression, HTTP/2

    Spring Boot is powerful yet flexible. It tries to auto-configure most of the stu...

    heidsoft
  • Centos下升级Python及Mongodb驱动安装问题

    首先去官网下载你想要的python压缩包,然后解压。进入主目录执行以下操作(需要GCC编译器支持)

    砸漏
  • 【CodeForces 567E】President and Roads(最短路)

    Berland has n cities, the capital is located in city s, and the historic home to...

    饶文津
  • 云存储上文件共享系统的缺陷

    云存储提供了一种更为简单的方式来私下和公开地共享文件。一个好的云存储提供商(SCP)不仅通过访问速度或可共享给他人的文件大小来衡量,而且还通过文件共享本身的安全...

    用户7724216
  • k群落高斯混合物模型中社区检测的精确恢复(社会和信息网络)。

    我们研究了高斯混合物模型的社区检测问题,其中顶点被分为k/geq 2个不同的社区。我们模型的主要区别在于高斯扰动的强度对于观察矩阵中的不同条目是不同的,而且我们...

    Jillchen996
  • DAY83:阅读Compute Capability 7.x

    我们正带领大家开始阅读英文的《CUDA C Programming Guide》,今天是第83天,我们正在讲解计算能力,希望在接下来的17天里,您可以学习到原汁...

    GPUS Lady
  • Creating a Connection Between Enterprise Search and SAP HANA for ABAP CDS-Based Search Models

    版权声明:署名,允许他人基于本文进行创作,且必须基于与原先许可协议相同的许可协议分发本文 (Creative Commons)

    Jerry Wang
  • Leetcode 111 Minimum Depth of Binary Tree

    Given a binary tree, find its minimum depth. The minimum depth is the number o...

    triplebee

扫码关注云+社区

领取腾讯云代金券