Network policies are a crucial aspect of Kubernetes security, allowing fine-grained control over pod-to-pod communication. In this hands-on guide, we’ll walk through setting up a Kind cluster with Calico, deploying applications, and implementing network policies.
Step 1: Creating a Kind Cluster with Custom Networking
First, let’s create a Kind cluster with the default CNI disabled:
kind: ClusterapiVersion: kind.x-k8s.io/v1alpha4nodes: - role: control-plane extraPortMappings: - containerPort: 30001 hostPort: 30001 - role: worker - role: workernetworking: disableDefaultCNI: true podSubnet: 192.168.0.0/16
Save this as kind-config.yaml
and create the cluster:
kind create cluster --config kind-config.yaml
Step 2: Installing Calico
Follow the official Calico documentation to install it on your Kind cluster:
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/tigera-operator.yamlkubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/custom-resources.yaml
Step 3: Deploying Applications
Let’s create deployments for frontend, backend, and db:
apiVersion: apps/v1kind: Deploymentmetadata: name: frontendspec: replicas: 1 selector: matchLabels: app: frontend template: metadata: labels: app: frontend spec: containers: - name: nginx image: nginx ports: - containerPort: 80---apiVersion: apps/v1kind: Deploymentmetadata: name: backendspec: replicas: 1 selector: matchLabels: app: backend template: metadata: labels: app: backend spec: containers: - name: nginx image: nginx ports: - containerPort: 80---apiVersion: apps/v1kind: Deploymentmetadata: name: dbspec: replicas: 1 selector: matchLabels: app: db template: metadata: labels: app: db spec: containers: - name: mysql image: mysql:5.7 ports: - containerPort: 3306 env: - name: MYSQL_ROOT_PASSWORD value: password
Save this as deployments.yaml
and apply:
kubectl apply -f deployments.yaml
Step 4: Exposing Services
Now, let’s expose these deployments as NodePort services:
apiVersion: v1kind: Servicemetadata: name: frontendspec: type: NodePort selector: app: frontend ports: - port: 80 targetPort: 80 nodePort: 30001---apiVersion: v1kind: Servicemetadata: name: backendspec: type: NodePort selector: app: backend ports: - port: 80 targetPort: 80 nodePort: 30002---apiVersion: v1kind: Servicemetadata: name: dbspec: type: NodePort selector: app: db ports: - port: 3306 targetPort: 3306 nodePort: 30003
Save this as services.yaml
and apply:
kubectl apply -f services.yaml
Step 5: Testing Connectivity
To test connectivity, you can use temporary pods:
kubectl run tmp-shell --rm -i --tty --image nicolaka/netshoot -- /bin/bash
From within this pod, you can use curl
to test connections to other services.
Step 6: Implementing Network Policy
Now, let’s create a network policy that only allows the backend to access the db:
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: db-access-policyspec: podSelector: matchLabels: app: db policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: backend ports: - protocol: TCP port: 3306
Save this as network-policy.yaml
and apply:
kubectl apply -f network-policy.yaml
Key Takeaways
- CNI Flexibility: Kind allows us to disable the default CNI and use alternatives like Calico.
- Fine-grained Control: Network policies enable precise control over pod-to-pod communication.
- Label-based Selectors: Network policies use labels to select pods, making them flexible and powerful.
- Default Deny: Without explicit allow rules, network policies default to denying all traffic.
- Testing is Crucial: Always test your network policies thoroughly to ensure desired behavior.
Conclusion
Kubernetes Network Policies provide a powerful tool for securing your cluster’s internal communications. By following this guide, you’ve set up a Kind cluster with Calico, deployed applications, and implemented a basic network policy. This foundation will allow you to create more complex policies tailored to your specific security needs.
Remember, network security is an ongoing process. Regularly review and update your policies as your application architecture evolves.
This blog post template provides a comprehensive, hands-on guide to implementing Kubernetes Network Policies, based on the task you described. It includes step-by-step instructions, explanations of key concepts, and important takeaways. The content is structured to be both informative and practical, suitable for readers who want to understand and implement Network Policies in their Kubernetes environments.