Calico Network Advancement

Total Catalog Index: K8s Network Calico From Getting Started to Abandoning Series

1. Create Services

kubectl create ns advanced-policy-demo

Since k8s version v1.18.2 discarded the replicas command, the nginx service was created using a yaml file

vim nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: advanced-policy-demo
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80        
kubectl apply -f nginx-deployment.yaml

Create a service for nginx and expose port 80

kubectl expose --namespace=advanced-policy-demo deployment nginx --port=80

Verify access rights

kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh

wget -q --timeout=5 nginx -O -

And visit Baidu test

wget -q --timeout=5 www.baidu.com -O -

2. Reject all incoming traffic

kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: advanced-policy-demo
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Ingress
EOF

2.1 Verify access rights

kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh

wget -q --timeout=5 nginx -O -

wget -q --timeout=5 www.baidu.com -O -

You can see that entry access to the Nginx service is denied, but export access to the outbound Internet is still allowed.

3. Allow traffic into nginx

Run the following command to create a NetworkPolicy that allows traffic from any Pod in the advanced-policy-demo namespace to Nginx Pod

kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-nginx
  namespace: advanced-policy-demo
spec:
  podSelector:
    matchLabels:
      app: nginx
  ingress:
    - from:
      - podSelector:
          matchLabels: {}
EOF

Verify access to nginx service

kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh

wget -q --timeout=5 nginx -O -

With the policy created, we can now access the nginx service.

4. Deny all export flows

kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: advanced-policy-demo
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Egress
EOF

4.1 Verify access rights, deny all exports

Inbound or outbound traffic that is not explicitly allowed by any policy will now be rejected.

kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh

nslookup nginx

wget -q --timeout=5 www.baidu.com -O -

5. Allow DNS export traffic

Run the following command name: kube-system creates a label on the kube-system namespace and creates a label on it that NetworkPolicy allows DNS to outbound traffic from any Pod in the advanced-policy-demo namespace to the namespace kube-system

kubectl label namespace kube-system name=kube-system

kubectl create -f - <<EOF

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: allow-dns-access

  namespace: advanced-policy-demo

spec:

  podSelector:

    matchLabels: {}

  policyTypes:

  - Egress

  egress:

  - to:

    - namespaceSelector:

        matchLabels:

          name: kube-system

    ports:

    - protocol: UDP

      port: 53

EOF

5.1 Verify access - Allow DNS access

nslookup nginx

nslookup www.baidu.com

All other export traffic from all pod s in the Advanced-policy-demo namespace is blocked even though DNS export traffic is now working.Therefore, HTTP export traffic from wget calls will still fail

6. Allow export flow to nginx

Run the following command to create a NetworkPolicy that allows outbound traffic from any Pod in the advanced-policy-demo namespace to a Pod with label matching in the same namespace as app: nginx

kubectl create -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-to-advance-policy-ns
  namespace: advanced-policy-demo
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: nginx
EOF

6.1 Verify Access - Allow export access to nginx

wget -q --timeout=5 nginx -O -

wget -q --timeout=5 www.baidu.com -O -

Access to Baidu timed out because it can resolve any export other than DNS matching labels to access the advanced-policy-demo namespace of app: nginx

7. Clean up the namespace

kubectl delete ns advanced-policy-demo

Reference article: https://docs.projectcalico.org/security/tutorials/kubernetes-policy-advanced

Tags: Nginx DNS network vim

Posted on Thu, 07 May 2020 17:14:57 -0700 by Jen_u41