Giter Club home page Giter Club logo

networkpolicy-calico's Introduction

NetworkPolicy-Calico

This workshop will walk you through how to create network policies in Kubernetes using Calico.

An article with more details and explanation will be available soon.

Check the commands.sh file to get all the commands used in this workshop.

0. Setting up AKS with Calico enabled

We'll need a Kubernetes cluster (or Minikube) with Calico enabled.

1. Deny inbound traffic from all Pods

1.1. Create development namespace with labels

kubectl create -f 1-namespace-development.yaml
or
kubectl create namespace development
kubectl label namespace/development purpose=development

1.2. Create an nginx Pod and Service

kubectl run backend --image=nginx --labels app=webapp,role=backend --namespace development --expose --port 80 --generator=run-pod/v1
or
kubectl create -f 1-pod-svc-nginx-backend.yaml

1.3. Create Alpine Pod for testing access to other pods

kubectl run --rm -it --image=alpine frontend --namespace development --generator=run-pod/v1
wget -qO- http://backend
or
kubectl create -f 1-pod-alpine-test.yaml
kubectl exec alpine -n development -- wget -qO- http://backend

1.4. Create a Network Policy to deny all connections to backend Pod

kubectl apply -f 1-network-policy-deny-all.yaml

1.5. Test access to backend Pod

We'll reuse the same Aplpine image to run the test:
kubectl run --rm -it --image=alpine frontend --namespace development --generator=run-pod/v1
wget -qO- --timeout=2 http://backend
or
kubectl exec alpine -n development -- wget -qO- --timeout=2 http://backend

2. Allow inbound traffic based on pod labels

2.1. Update the previous Network Policy to allow traffic from only pods with specific labels

kubectl apply -f 2-network-policy-allow-pod.yaml

2.2. Test pod with matching labels

kubectl run --rm -it frontend --image=alpine --labels app=webapp,role=frontend --namespace development --generator=run-pod/v1
wget -qO- http://backend

2.3. Test pod without matching labels

kubectl run --rm -it --image=alpine frontend --namespace development --generator=run-pod/v1
wget -qO- --timeout=2 http://backend

3. Allow traffic only from pods with matching labels and within specific namespace

3.1. Test without policy and pod reaching other namespaces

kubectl create namespace production
kubectl label namespace/production purpose=production
kubectl run --rm -it frontend --image=alpine --labels app=webapp,role=frontend --namespace production --generator=run-pod/v1
wget -qO- http://backend.development

3.2. Create the policy

kubectl apply -f 3-network-policy-allow-pod-namespace.yaml

3.3. Test with policy and pod with matching labels and not within specific namespace

kubectl run --rm -it frontend --image=alpine --labels app=webapp,role=frontend --namespace production --generator=run-pod/v1
wget -qO- --timeout=2 http://backend.development

3.4. Test with policy and pod with matching labels and within specific namespace

kubectl run --rm -it frontend --image=alpine --labels app=webapp,role=frontend --namespace development --generator=run-pod/v1
wget -qO- http://backend

networkpolicy-calico's People

Contributors

houssemdellai avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.