Kubernetes policy, basic tutorial
This guide provides a simple way to try out Kubernetes NetworkPolicy
with Calico Cloud. It requires a Kubernetes cluster configured with Calico Cloud networking, and expects that you have kubectl
configured to interact with the cluster.
Configure namespaces
This guide will deploy pods in a Kubernetes namespace. Let's create the Namespace
object for this guide.
kubectl create ns policy-demo
Create demo pods
We'll use Kubernetes Deployment
objects to easily create pods in the namespace.
-
Create some nginx pods in the
policy-demo
namespace.kubectl create deployment --namespace=policy-demo nginx --image=nginx
-
Expose them through a service.
kubectl expose --namespace=policy-demo deployment nginx --port=80
-
Ensure the nginx service is accessible.
kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
This should open up a shell session inside the
access
pod, as shown below.Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ # -
From inside the
access
pod, attempt to reach thenginx
service.wget -q nginx -O -
You should see a response from
nginx
. Great! Our service is accessible. You can exit the pod now.
Enable isolation
Let's turn on isolation in our policy-demo
namespace. Calico Cloud will then prevent connections to pods in this namespace.
Running the following command creates a NetworkPolicy which implements a default deny behavior for all pods in the policy-demo
namespace.
kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: policy-demo
spec:
podSelector:
matchLabels: {}
EOF
Test Isolation
This will prevent all access to the nginx service. We can see the effect by trying to access the service again.
kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
This should open up a shell session inside the access
pod, as shown below.
Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ #
Now from within the busybox access
pod execute the following command to test access to the nginx service.
wget -q --timeout=5 nginx -O -
The request should time out after 5 seconds.
wget: download timed out
/ #
By enabling isolation on the namespace, we've prevented access to the service.
Allow access using a network policy
Now, let's enable access to the nginx service using a NetworkPolicy. This will allow incoming connections from our access
pod, but not
from anywhere else.
Create a network policy access-nginx
with the following contents:
kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: access-nginx
namespace: policy-demo
spec:
podSelector:
matchLabels:
app: nginx
ingress:
- from:
- podSelector:
matchLabels:
run: access
EOF
The NetworkPolicy allows traffic from Pods with
the label run: access
to Pods with the label app: nginx
. The
labels are automatically added by kubectl and
are based on the name of the resource.
We should now be able to access the service from the access
pod.
kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
This should open up a shell session inside the access
pod, as shown below.
Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ #
Now from within the busybox access
pod execute the following command to test access to the nginx service.
wget -q --timeout=5 nginx -O -
However, we still cannot access the service from a pod without the label run: access
.
We can verify this as follows.
kubectl run --namespace=policy-demo cant-access --rm -ti --image busybox /bin/sh
This should open up a shell session inside the cant-access
pod, as shown below.
Waiting for pod policy-demo/cant-access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ #
Now from within the busybox cant-access
pod execute the following command to test access to the nginx service.
wget -q --timeout=5 nginx -O -
The request should time out.
wget: download timed out
/ #
You can clean up the demo by deleting the demo namespace.
kubectl delete ns policy-demo
This was just a simple example of the Kubernetes NetworkPolicy API and how Calico can secure your Kubernetes cluster. For more information on network policy in Kubernetes, see the Kubernetes user-guide.
For a slightly more detailed demonstration of policy, check out the Kubernetes policy demo.