Deploying test pods to K8S 🔗︎
kubectl run --generator=run-pod/v1 busybox1 --image=busybox -- sleep 3600
kubectl run --generator=run-pod/v1 busybox2 --image=busybox -- sleep 3600
kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
busybox1 1/1 Running 0 69s 10.20.160.6 ip-192-168-76-80.eu-west-1.compute.internal <none> <none>
busybox2 1/1 Running 0 51s 10.20.192.4 ip-192-168-76-114.eu-west-1.compute.internal <none> <none>
Weave 🔗︎
1. Create a deny-all policy 🔗︎
cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
EOF
kubectl exec -ti busybox2 -- ping -c3 10.20.160.6
PING 10.20.160.6 (10.20.160.6): 56 data bytes
--- 10.20.160.6 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
2. Create an allow-out-to-in policy, and add labels to pods 🔗︎
cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-out-to-in
namespace: default
spec:
podSelector: {}
ingress:
- from:
- podSelector:
matchLabels:
test: out
egress:
- to:
- podSelector:
matchLabels:
test: in
policyTypes:
- Ingress
- Egress
EOF
3. Set labels of busybox pods 🔗︎
kubectl label pod busybox1 test=in
kubectl label pod busybox2 test=out
kubectl exec -ti busybox2 -- ping -c3 10.20.160.6
PING 10.20.160.6 (10.20.160.6): 56 data bytes
64 bytes from 10.20.160.6: seq=0 ttl=64 time=0.710 ms
64 bytes from 10.20.160.6: seq=1 ttl=64 time=0.596 ms
64 bytes from 10.20.160.6: seq=2 ttl=64 time=0.637 ms
--- 10.20.160.6 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.596/0.647/0.710 ms
Calico 🔗︎
You can use Calico NetworkPolicy in addition to Kubernetes NetworkPolicy, or exclusively.
1. Create a standard deny-all policy 🔗︎
With Calico you can define standard NetworkPolicy.
cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
EOF
kubectl exec -ti busybox2 -- ping -c3 192.168.67.136
PING 192.168.67.136 (192.168.67.136): 56 data bytes
--- 192.168.67.136 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
2. Create an allow-ingress-from-out policy in a namespace 🔗︎
Now we can use Project Calico NetworkPolicy to allow some traffic overriding standard deny-all NetworkPolicy.
cat << EOF | kubectl apply -f -
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-out
spec:
ingress:
- action: allow
source:
selector: test == 'out'
EOF
3. Create an allow-egress-to-in policy globally 🔗︎
Due to egress isn’t enabled in step 3 the ping doesn’t work yet. Now create GlobalNetworkPolicy enbling egress to specified labelled pods clusterwide.
cat << EOF | kubectl apply -f -
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: allow-egress-to-in
spec:
egress:
- action: allow
destination:
selector: test == 'in'
EOF
kubectl exec -ti busybox2 -- ping -c3 192.168.67.136
PING 192.168.67.136 (192.168.67.136): 56 data bytes
64 bytes from 192.168.67.136: seq=0 ttl=254 time=0.068 ms
64 bytes from 192.168.67.136: seq=1 ttl=254 time=0.072 ms
64 bytes from 192.168.67.136: seq=2 ttl=254 time=0.075 ms
--- 192.168.67.136 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.068/0.070/0.072 ms
