1. Installing Cannl with Kubernetes API datastore (etcd)
1.Ensure that the kubernetes controller manager has the following flags set:
--cluster-cidr=10.244.0.0/16 and --allocate-node-cidrs=true
user this command to check
kubectl cluster-info dump | egrep -m 2 "cluster-cidr|allocate-node-cidrs"
- RBAC enabled ,Issue the following to Configure the roles and bindings that Calico requires, and install Calico
kubectl apply -f https://docs.projectcalico.org/manifests/canal.yam
2.view networkpolicy definition
kubectl explain networkpolicy
# kubectl explain networkpolicy
KIND: NetworkPolicy
VERSION: networking.k8s.io/v1
DESCRIPTION:
NetworkPolicy describes what network traffic is allowed for a set of Pods
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec <Object>
Specification of the desired behavior for this NetworkPolicy.
# kubectl explain networkpolicy.spec
KIND: NetworkPolicy
VERSION: networking.k8s.io/v1
RESOURCE: spec <Object>
DESCRIPTION:
Specification of the desired behavior for this NetworkPolicy.
NetworkPolicySpec provides the specification of a NetworkPolicy
FIELDS:
egress <[]Object>
List of egress rules to be applied to the selected pods. Outgoing traffic
is allowed if there are no NetworkPolicies selecting the pod (and cluster
policy otherwise allows the traffic), OR if the traffic matches at least
one egress rule across all of the NetworkPolicy objects whose podSelector
matches the pod. If this field is empty then this NetworkPolicy limits all
outgoing traffic (and serves solely to ensure that the pods it selects are
isolated by default). This field is beta-level in 1.8
ingress <[]Object>
List of ingress rules to be applied to the selected pods. Traffic is
allowed to a pod if there are no NetworkPolicies selecting the pod (and
cluster policy otherwise allows the traffic), OR if the traffic source is
the pod's local node, OR if the traffic matches at least one ingress rule
across all of the NetworkPolicy objects whose podSelector matches the pod.
If this field is empty then this NetworkPolicy does not allow any traffic
(and serves solely to ensure that the pods it selects are isolated by
default)
podSelector <Object> -required-
Selects the pods to which this NetworkPolicy object applies. The array of
ingress rules is applied to any pods selected by this field. Multiple
network policies can select the same set of pods. In this case, the ingress
rules for each are combined additively. This field is NOT optional and
follows standard label selector semantics. An empty podSelector matches all
pods in this namespace.
policyTypes <[]string>
List of rule types that the NetworkPolicy relates to. Valid options are
"Ingress", "Egress", or "Ingress,Egress". If this field is not specified,
it will default based on the existence of Ingress or Egress rules; policies
that contain an Egress section are assumed to affect Egress, and all
policies (whether or not they contain an Ingress section) are assumed to
affect Ingress. If you want to write an egress-only policy, you must
explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write
a policy that specifies that no egress is allowed, you must specify a
policyTypes value that include "Egress" (since such a policy would not
include an Egress section and would otherwise default to just [ "Ingress"
]). This field is beta-level in 1.8
# kubectl explain networkpolicy.spec.egress
KIND: NetworkPolicy
VERSION: networking.k8s.io/v1
RESOURCE: egress <[]Object>
DESCRIPTION:
List of egress rules to be applied to the selected pods. Outgoing traffic
is allowed if there are no NetworkPolicies selecting the pod (and cluster
policy otherwise allows the traffic), OR if the traffic matches at least
one egress rule across all of the NetworkPolicy objects whose podSelector
matches the pod. If this field is empty then this NetworkPolicy limits all
outgoing traffic (and serves solely to ensure that the pods it selects are
isolated by default). This field is beta-level in 1.8
NetworkPolicyEgressRule describes a particular set of traffic that is
allowed out of pods matched by a NetworkPolicySpec's podSelector. The
traffic must match both ports and to. This type is beta-level in 1.8
FIELDS:
ports <[]Object>
List of destination ports for outgoing traffic. Each item in this list is
combined using a logical OR. If this field is empty or missing, this rule
matches all ports (traffic not restricted by port). If this field is
present and contains at least one item, then this rule allows traffic only
if the traffic matches at least one port in the list.
to <[]Object>
List of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field
is empty or missing, this rule matches all destinations (traffic not
restricted by destination). If this field is present and contains at least
one item, this rule allows traffic only if the traffic matches at least one
item in the to list.
# kubectl explain networkpolicy.spec.egress.to
KIND: NetworkPolicy
VERSION: networking.k8s.io/v1
RESOURCE: to <[]Object>
DESCRIPTION:
List of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field
is empty or missing, this rule matches all destinations (traffic not
restricted by destination). If this field is present and contains at least
one item, this rule allows traffic only if the traffic matches at least one
item in the to list.
NetworkPolicyPeer describes a peer to allow traffic from. Only certain
combinations of fields are allowed
FIELDS:
ipBlock <Object>
IPBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
namespaceSelector <Object>
Selects Namespaces using cluster-scoped labels. This field follows standard
label selector semantics; if present but empty, it selects all namespaces.
If PodSelector is also set, then the NetworkPolicyPeer as a whole selects
the Pods matching PodSelector in the Namespaces selected by
NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected
by NamespaceSelector.
podSelector <Object>
This is a label selector which selects Pods. This field follows standard
label selector semantics; if present but empty, it selects all pods. If
NamespaceSelector is also set, then the NetworkPolicyPeer as a whole
selects the Pods matching PodSelector in the Namespaces selected by
NamespaceSelector. Otherwise it selects the Pods matching PodSelector in
the policy's own Namespace.
3. network isolate in namespace dev,default is deny
kubectl explain networkpolicy.spec.ingress.from.namespaceSelector
- Create ingress network policy namespace dev
# vi ingress-def.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {}
policyTypes:
- Ingress
- Apply ingress network policy for namespace dev
[root@xen11-195 NetworkPolicy]# kubectl apply -f ingress-def.yaml
networkpolicy.networking.k8s.io/deny-all-ingress created
- Test connectivity in namespace dev, test result is Failed
[root@xen11-195 NetworkPolicy]# kubectl get pod -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
my-nginx-75897978cd-2g2xj 1/1 Running 0 111m 10.244.2.3 xen11-197 <none> <none>
my-nginx-75897978cd-4sldb 1/1 Running 0 111m 10.244.1.2 xen11-196 <none> <none>
my-nginx-75897978cd-kz27c 1/1 Running 0 111m 10.244.2.2 xen11-197 <none> <none>
[root@xen11-195 NetworkPolicy]# curl 10.244.2.3
^C
- Test connectivity in namespace tst , test result is OK
[root@xen11-195 NetworkPolicy]# kubectl get pod -n tst -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
my-nginx-75897978cd-2b7xr 1/1 Running 0 111m 10.244.2.5 xen11-197 <none> <none>
my-nginx-75897978cd-dzqxn 1/1 Running 0 111m 10.244.2.4 xen11-197 <none> <none>
my-nginx-75897978cd-lz8m9 1/1 Running 0 111m 10.244.1.3 xen11-196 <none> <none>
[root@xen11-195 NetworkPolicy]# curl 10.244.2.5
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
4.network isolate in namespace dev,allow all ingress
- Create “allow all ingress” ingress network policy namespace dev
# vi ingress-def.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
- Apply ingress network policy for namespace dev
# kubectl apply -f ingress-def.yaml
networkpolicy.networking.k8s.io/deny-all-ingress configured
- Test connectivity in namespace dev, test result is OK
[root@xen11-195 NetworkPolicy]# kubectl get pod -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
my-nginx-75897978cd-2g2xj 1/1 Running 0 111m 10.244.2.3 xen11-197 <none> <none>
my-nginx-75897978cd-4sldb 1/1 Running 0 111m 10.244.1.2 xen11-196 <none> <none>
my-nginx-75897978cd-kz27c 1/1 Running 0 111m 10.244.2.2 xen11-197 <none> <none>
[root@xen11-195 NetworkPolicy]# curl 10.244.2.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
4. podSelector: Which pod need to be controlled
- find pod labels
# kubectl get pod my-nginx-75897978cd-2g2xj -o yaml -n dev|grep -A 2 labels
labels:
pod-template-hash: 75897978cd
run: my-nginx
or
kubectl get pod -n dev --show-labels
- Create “allow ingress for podSelector” ingress network policy namespace dev
# vi ingress-def.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector:
matchLabels:
run: my-nginx
ingress:
- from:
- ipBlock:
cidr: 10.244.0.0/16
except:
- 10.244.2.8/32
ports:
- protocol: TCP
port: 80
for these pods with labes " run: my-nginx " allow from 10.244.0.0 but not allow 10.244.2.8,port is 80
5. allow namespace dev to connect to pod
- Create network policy yaml file
# cat allow-namespace.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: dev
spec:
podSelector:
matchLabels:
run: my-nginx
ingress:
- from:
- ipBlock:
cidr: 10.244.0.0/16
except:
- 10.244.2.8/32
- namespaceSelector:
matchLabels:
namespace: dev
ports:
- protocol: TCP
port: 80
- Apply Network Policy file
kubectl apply -f allow-namespace.yaml
- Test with defualt namespace pod
# kubectl run -i --tty busybox --image=busybox --restart=Never
If you don't see a command prompt, try pressing enter.
/ # wget 10.244.2.3
Connecting to 10.244.2.3 (10.244.2.3:80)
- Test with dev namespace pod
# kubectl run -i --tty busybox --image=busybox --restart=Never -n dev
If you don't see a command prompt, try pressing enter.
/ # wget 10.244.2.3
Connecting to 10.244.2.3 (10.244.2.3:80)
saving to 'index.html'
index.html 100% |**********************************************************************************************************************************| 612 0:00:00 ETA
'index.html' saved
/ # wget 10.244.2.3