/
Deploy network policy in k8s

Deploy network policy in k8s

This page is out of date.
Please see the relevant page for the latest release: e.g. Release M - Run in Kubernetes

 

network policy is used to control the traffic flow between endpoints in k8s cluster.

This is a brief instruction on how to apply network policy to NONRTRIC. This page deploy NONRTRIC and apply a simple network policy to it.

Prerequisite

  • Docker

  • minikube v1.22.0

  • cilium v1.10.2

Installation

configure minukube resources, the NONRTRIC deployment may cost more resource than default settings in your env:

configure minikube
minikube config set cpus 4 minikube config set memory 16384

start minukube and enable network plugin:

start minikube and enable network plugin
minikube start --network-plugin=cni

install network plugin, eg: cilium

download cilium and run command, it will detect the minikube cluster automatically and install the network plugin in the cluster:

install cilium
cilium install

After successful installation, we should see the pods:

 

Check cilium status:

cilium status
cilium status

Now we have network plugin enabled in k8s cluster, we can then apply network policy to NONRTRIC.

Deploy NONRTRIC

deploy nonrtric
kubectl apply -f https://raw.githubusercontent.com/yanhuanwang/k8s/master/statefulset/nosdnc.yml

after deployment, you should be able to see nonrtric services/pods are up and running:

pay attention to the labels above, in this demo we will use labels to define the network-policy rules.

Apply network-policy

$ cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: nonrtric spec: podSelector: matchLabels: app: a1-sim policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: policy-agent-container - from: - podSelector: matchLabels: app: a1-sim EOF

The example policy above applies a rule on endpoint with lable "a1-sim", it only allows traffic coming from pod with labels "policy-agent-container" and "a1-sim".

Feel free to change the labels and apply it.

After successfully applying above policy, we login to pod "policy-agent-container-xxxxxx", command:

kubectl -n nonrtric exec -it policy-agent-container-78d6b988c9-jnw42 -- sh curl a1-interface-osc-0.a1-sim

We should be able to see:

If we update labels in the above policy, for exemple:

$ cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: nonrtric spec: podSelector: matchLabels: app: a1-sim policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: policy-xxxx-container - from: - podSelector: matchLabels: app: a1-sim EOF

After applying this changed policy, we cannot access "a1-sim" endpoints from "policy-agent-container" anymore because the labels do not match.

curl/ping command can no longer reach "a1-sim".