Configuring the Calico network policy controller
Calico
- Apply policies to any object: pod, container, virtual machine, or interface.
- Specify a particular action in the policy rules: prohibit, allow, or log.
- Specify as a target or a source: port, port range, protocols, HTTP and ICMP attributes, IP address or subnet, and other objects.
- Regulate traffic using DNAT settings and traffic forwarding policies.
To configure the Calico network policy controller:
- Create an nginx service
- Isolate pods using network policies
- Create network policies enabling service access
If you no longer need the resources you created, delete them.
Getting started
-
Create an infrastructure:
ManuallyTerraform-
Create security groups for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Create a Managed Service for Kubernetes cluster and a node group in any suitable configuration. When creating it, specify the network, subnet, and security groups prepared earlier. Also, enable the Calico network policy controller in the cluster:
-
If you do not have Terraform yet, install it.
-
Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.
-
Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it
. -
Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
-
Download the k8s-calico.tf
configuration file of the Managed Service for Kubernetes cluster to the same working directory. The file describes:-
Subnet
-
Managed Service for Kubernetes cluster
-
Service account required for the Managed Service for Kubernetes cluster and node group.
-
Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Specify the following in the configuration file:
- Folder ID.
- Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
- Managed Service for Kubernetes cluster CIDR.
- Name of the Managed Service for Kubernetes cluster service account.
-
Run the
terraform init
command in the directory with the configuration files. This command initializes the provider specified in the configuration files and enables you to use the provider resources and data sources. -
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console
. -
-
Install kubectl
and configure it to work with the created cluster. -
Create the
policy-test
namespace in your Managed Service for Kubernetes cluster.
Create an nginx service
-
Create a pod with the nginx web server in the
policy-test
namespace. Use the Kubernetes Deployment API object:kubectl create deployment --namespace=policy-test nginx --image=nginx
Result:
deployment.apps/nginx created
-
Run the pod with nginx as a Kubernetes service:
kubectl expose --namespace=policy-test deployment nginx --port=80
Result:
service/nginx exposed
-
Make sure the nginx web server is available. Create a pod named
access
:kubectl run --namespace=policy-test access --rm -ti --image busybox /bin/sh
A shell session opens on the
access
pod:If you don't see a command prompt, try pressing enter. / #
-
Connect to the nginx web server via the session on the
access
pod:wget -q nginx -O -
The nginx web server is available:
<!DOCTYPE html> <html> <head> ... <p><em>Thank you for using nginx.</em></p> </body> </html>
-
Exit the pod:
/ # exit
The pod is deleted:
Session ended, resume using 'kubectl attach access -c access -i -t' command when the pod is running pod "access" deleted
Isolate pods using network policies
Isolate the policy-test
namespace. As a result, the Calico network policy controller prevents connections to pods in this namespace:
kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: deny
namespace: policy-test
spec:
podSelector:
matchLabels: {}
EOF
Network policies are created:
networkpolicy.networking.k8s.io/deny created
Test whether isolation works
-
Network policies isolated the nginx web server. To check this, create a pod named
access
:kubectl run --namespace=policy-test access --rm -ti --image busybox /bin/sh
A shell session opens on the
access
pod:If you don't see a command prompt, try pressing enter. / #
-
Check if the
access
pod can access the nginx web server:wget -q --timeout=5 nginx -O -
No connection is established:
wget: download timed out / #
-
Exit the pod:
/ # exit
The pod is deleted:
Session ended, resume using 'kubectl attach access -c access -i -t' command when the pod is running pod "access" deleted
Create network policies enabling service access
Allow access to the nginx web server using network policies. Only the access
pod will be allowed to connect by the network policies.
-
Create
access-nginx
network policies:kubectl create -f - <<EOF kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx namespace: policy-test spec: podSelector: matchLabels: app: nginx policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: run: access egress: - to: - podSelector: matchLabels: app: nginx EOF
Note
Network policies will allow traffic from pods with the
run: access
Kubernetes label to pods with theapp: nginx
Kubernetes label. Labels are automatically added by kubectl based on the resource name.Network policies are created:
networkpolicy.networking.k8s.io/access-nginx created
-
Create a pod named
access
:kubectl run --namespace=policy-test access --rm -ti --image busybox /bin/sh
A shell session opens on the
access
pod:If you don't see a command prompt, try pressing enter. / #
-
Check if the
access
pod can access the nginx web server:wget -q --timeout=5 nginx -O -
The connection is established:
<!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> ...
-
Exit the pod:
/ # exit
The pod is deleted:
Session ended, resume using 'kubectl attach access -c access -i -t' command when the pod is running pod "access" deleted
Check the network isolation functionality for other pods
The created access-nginx
network policies allow connections for pods with the run: access
Kubernetes label.
-
Create a pod with no
run: access
label:kubectl run --namespace=policy-test cant-access --rm -ti --image busybox /bin/sh
A shell session opens on the
cant-access
pod:If you don't see a command prompt, try pressing enter. / #
-
Check if the
cant-access
pod can access the nginx web server:wget -q --timeout=5 nginx -O -
No connection is established:
wget: download timed out / #
-
Exit the pod:
/ # exit
The pod is deleted:
Session ended, resume using 'kubectl attach access -c access -i -t' command when the pod is running pod "cant-access" deleted
-
To delete the sample data, delete the namespace:
kubectl delete ns policy-test
Command result:
namespace "policy-test" deleted
Delete the resources you created
Delete the resources you no longer need to avoid paying for them:
- Delete the Managed Service for Kubernetes cluster.
- If you reserved a public static IP address for your Managed Service for Kubernetes cluster, delete it.
-
In the command line, go to the directory with the current Terraform configuration file with an infrastructure plan.
-
Delete the
k8s-calico.tf
configuration file. -
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the resources described in the
k8s-calico.tf
configuration file will be deleted. -