Calico network foundation

General Catalog Index: K8s network Calico from getting started to giving up series

1. Create service

Create a namespace

kubectl create ns policy-demo

Create two copies of Nginx Pod in the policy demo namespace

kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx

If you and I have the same feedback:

Flag --replicas has been deprecated, has no effect and will be removed in the future

Because after K8S v1.18.0, – replicas has been deprecated, and it is recommended to create pods with deployment

vim nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: policy-demo
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80 
kubectl apply -f nginx-deployment.yaml

Expose 80 ports of nginx through services

kubectl expose --namespace=policy-demo deployment nginx --port=80

kubectl get all -n policy-demo

Access nginx service through the pod of busybox

kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh

wget -q nginx -O -

2. Enable network isolation

Turn on isolation in the policy demo namespace. Calico then blocks connections to the Pod in that namespace. Running the following command creates a NetworkPolicy that implements the default deny behavior for all pods in the policy demo namespace.

kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny
  namespace: policy-demo
spec:
  podSelector:
    matchLabels: {}
EOF

3. Test isolation

All access to the Nginx service will be blocked. You can see the effect by trying to access the service again

kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh

wget -q --timeout=5 nginx -O -

Connection timeout will be found

4. Allow access through network policy

Now, use network policy to enable access to nginx services. This will allow incoming connections from accessPod, but not from anywhere else.

Create a network policy for access nginx with the following:

kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: access-nginx
  namespace: policy-demo
spec:
  podSelector:
    matchLabels:
      app: nginx
  ingress:
    - from:
      - podSelector:
          matchLabels:
            run: access
EOF

Access the service from accessPod

kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh

wget -q --timeout=5 nginx -O -

If there is no label run: access, the service cannot be accessed from. Verify as follows

kubectl run --namespace=policy-demo cant-access --rm -ti --image busybox /bin/sh

wget -q --timeout=5 nginx -O -

Finally, you can delete the namespace according to your own needs

kubectl delete ns policy-demo

Reference article: https://docs.projectcalico.org/security/tutorials/kubernetes-policy-basic

Tags: Nginx network vim Kubernetes

Posted on Fri, 08 May 2020 10:57:21 -0400 by Aikon