K8s Network Policies

Source
- Some network communication fundamentals- What is a NetworkPolicy- What are NetworkPolicy agents- Concluding thoughts
  • Each Pod gets its own unique IP address.
  • All Pods can talk with any other Pod within the cluster(there is no NAT business, i.e., Network address translation)
MyK8sInstance> kubectl get ns | grep ns
ns-1 Active 43s
ns-2 Active 41s
ns-3 Active 40s
kubectl -n ns-1 run pod1 --image=nginx
kubectl -n ns-2 run pod2 --image=nginx
kubectl -n ns-3 run pod3 --image=nginx
MyK8sInstance> kubectl get po -A -o wide | grep -i nsns-1 pod1-68d8cf5958-64wxf 1/1 Running 0 6m25s 172.17.0.2 minikube <none> <none>
ns-2 pod2-656d7df678-pn58q 1/1 Running 0 6m19s 172.17.0.3 minikube <none> <none>
ns-3 pod3-544fd994c4-xfqwx 1/1 Running 0 6m12s 172.17.0.4 minikube <none> <none>
MyK8sInstance> kubectl -n ns-1 exec pod1-68d8cf5958-64wxf -- curl 172.17.0.3 | grep Welcome
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 68000 0 --:--:-- --:--:-- --:--:-- 68000
<title>Welcome to nginx!</title>
<h1>Welcome to nginx!</h1>
pod1-68d8cf5958-64wxf => pod1 which belongs to ns-1
172.17.0.3 => pod2 which belong to ns-2
MyK8sInstance> kubectl -n ns-2 exec pod2-656d7df678-pn58q -- curl 172.17.0.4 | grep Welcome
<title>Welcome to nginx!</title>
<h1>Welcome to nginx!</h1>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 298k 0 --:--:-- --:--:-- --:--:-- 597k
Communication between pods in each namespace
New requirements for communication between pods
MyK8sInstance> k get ns --all-namespaces --show-labels | grep ns
ns-1 Active 77m ns-name=ns1
ns-2 Active 77m ns-name=ns2
ns-3 Active 77m ns-name=ns3
MyK8sInstance> k get po --all-namespaces --show-labels | grep pod
ns-1 pod1-68d8cf5958-64wxf 1/1 Running 0 72m pod-name=pod1,pod-template-hash=68d8cf5958,run=pod1
ns-2 pod2-656d7df678-pn58q 1/1 Running 0 72m pod-name=pod2,pod-template-hash=656d7df678,run=pod2
ns-3 pod3-544fd994c4-xfqwx 1/1 Running 0 72m pod-name=pod3,pod-template-hash=544fd994c4,run=pod3
  1. An ingress request from ns-3 pod3 should be allowed to ns-2 pod
  2. An ingress request from ns-1 pod1 should not be allowed to ns-2 pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: ns-2
spec:
podSelector:
matchLabels:
pod-name: pod2
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
pod-name: pod3
MyK8sInstance> k apply -f np.yaml
networkpolicy.networking.k8s.io/test-network-policy created
MyK8sInstance> k get po --all-namespaces -o wide | grep -i pod
ns-1 pod1-68d8cf5958-64wxf 1/1 Running 0 83m 172.17.0.2 minikube <none> <none>
ns-2 pod2-656d7df678-pn58q 1/1 Running 0 83m 172.17.0.3 minikube <none> <none>
ns-3 pod3-544fd994c4-xfqwx 1/1 Running 0 83m 172.17.0.4 minikube <none> <none>
MyK8sInstance> kubectl -n ns-3 exec pod3-544fd994c4-xfqwx -- curl 172.17.0.3 | grep Welcome
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 68000 0 --:--:-- --:--:-- --:--:-- 68000
<title>Welcome to nginx!</title>
<h1>Welcome to nginx!</h1>
MyK8sInstance> kubectl -n ns-1 exec pod1-68d8cf5958-64wxf -- curl 172.17.0.3 | grep Welcome
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 597k 0 --:--:-- --:--:-- --:--:-- 597k
<title>Welcome to nginx!</title>
<h1>Welcome to nginx!</h1>
MyK8sInstance> kubectl get daemonset calico-node --namespace calico-system
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
calico-node 1 1 0 1 0 kubernetes.io/os=linux 1s

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sandeep Baldawa

Sandeep Baldawa

whoami >> Slack, Prev — Springpath (Acquired by Cisco), VMware, Backend Engineer, Build & Release, Infra, Devops & Cybersecurity Enthusiast