Kubernetes CKAD Weekly Challenge #6 NetworkPolicy - FAUN - Medium

19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
Kubernetes CKAD weekly challenge #6

NetworkPolicy
Kim Wuestkamp Follow
Apr 29, 2019 · 5 min read
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 1/14
ALL CHALLENGES AND TIPS
Rules!
1. be fast, avoid creating yaml manually from scratch
2. use only kubernetes.io/docs for help ONCE your cluster is correctly

configured to support NetworkPolicy
3. check my solution after you did yours. You probably have a better one ;)
Notices
This challenge was tested on k8s 1.18. Please let us know should you
encounter any issues
You won’t be able to use deprecated kubectl commands in the real

exam!
Be fast with Kubectl ≥ 1.18
Todays scenario setup

Once the scenario is setup the challenge will start!
Get that good Kubernetes Cluster

You need to work on a cluster which supports NetworkPolicies, Docker For
Desktop doesn’t at this point. I’m using Gcloud Kubernetes Engine where you
need to enable NetworkPolicies. You can simply create a new one:
use kubectl >= 1.18
gcloud container clusters create cluster-1 --enable-network-policy --

zone europe-west3-a
alias k=kubectl
k config get-contexts
k config set-context YOUR_CONTEXT
k get all
Set it up
Today we will work with a given scenario:
wget https://raw.githubusercontent.com/wuestkamp/k8s-
challenges/master/6/scenario.yaml
k create -f scenario.yaml
I like to keep the cluster information we need running in a separate

terminal:
watch "kubectl config current-context; echo ''; kubectl config view |

grep namespace; echo ''; kubectl get
namespace,pod,svc,deployment,networkpolicy -o wide"
The objects
1. deployment nginx-deployment with 5 replicas, nginx on port 80
2. deployment api-deployment with 2 replicas, simple service running port

3333
3. NodePort service nginx-service which exposes port 31111 on each node

and forwards to port 80 on the nginx pods
4. ClusterIP service api-service to handle simple internal load balancing

from nginx instances to api instances on port 3333
Let’s imagine the nginx instances do communicate with the api instances,
and the api instances communicate with google.com:443.
This application communication isn’t implemented in the scenario (we only

use default images), but it doesn’t matter for testing networking rules.
Test default cluster connectivity

Connection from nginx to outer world:
use kubectl >= 1.18
alias k=kubectl
k exec nginx-deployment-12345678-12345 —- nc -zv www.google.de 80 #

WORKS
Connection from nginx to api:
k exec nginx-deployment-12345678-12345 —- nc -zv api-service 3333 #

WORKS
Connection from api to outer world:
k exec api-deployment-12345678-12345 —- nc -zv www.google.de 80 #

WORKS
Connection from api to api:
k exec api-deployment-12345678-12345 —- nc -zv api-service 3333 #

WORKS
Todays Task: NetworkPolicy

Make sure all your NetworkPolicies still allow DNS resolution.
1. implement a NetworkPolicy for nginx pods to only allow egress to the

internal api pods on port 3333. No access to the outer world (but DNS).
2. implement a NetworkPolicy for api pods to only allow ingress on port

3333 from the internal nginx pods. To test negative: check from api to
api.
3. implement a NetworkPolicy for api pods to only allow egress to (IP of

google.com) port 443.
My Solution
I did copy examples from https://kubernetes.io/docs/concepts/services-
networking/network-policies and adjusted those.
#1 NetworkPolicy for nginx pods to only allow egress to the internal

api pods on port 3333
Create a new file nginx-networkpolicy.yaml :
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: nginx-network-policy
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: api
ports:
- port: 3333
protocol: TCP
- to:
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
Followed by:
alias k=kubectl
k -f nginx-networkpolicy.yaml create
k exec nginx-deployment-57d6c8d759-knnsq -- nc -zv www.google.de 80 #

FAILS
k exec nginx-deployment-57d6c8d759-knnsq -- nc -zv nginx-service 80 #

FAILS
k exec nginx-deployment-57d6c8d759-knnsq -- nc -zv api-service 3333 #

WORKS
#2 NetworkPolicy for api pods to only allow ingress on port 3333

from the internal nginx pods
cp nginx-networkpolicy.yaml api-networkpolicy.yaml and then edit the
copy to:
kind: NetworkPolicy
metadata:
name: api-network-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: nginx
ports:
- port: 3333
protocol: TCP
Then test with by trying to connect from api to api:
k -f api-networkpolicy.yaml create
k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv api-service 3333 #

FAILS
k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv www.google.de 80 #

WORKS
#3 NetworkPolicy for api pods to only allow egress to (IP of

google.com) port 443
We limit here to an IP ( ping www.google.com ) because as of now there are
no DNS selectors available for NetworkPolicies.
Let’s adjust the api-networkpolicy.yaml to include egress limitation:
kind: NetworkPolicy
metadata:
name: api-network-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Egress
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: nginx
ports:
- port: 3333
protocol: TCP
egress:
- to:
- ipBlock:
cidr: 216.58.208.35/32
ports:
- port: 443
protocol: TCP
- to:
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
Then we run:
k -f api-networkpolicy.yaml apply
k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv nginx-service 80 #

FAILS
k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv api-service 3333 #

FAILS
k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv 216.58.208.35 80 #

FAILS
k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv 216.58.208.35 443 #

WORKS
Recap
Well, I spent most time finding out that K8s clusters don’t have
NetworkPolicies enabled by default ;) But then I definitely learned the
power of manual firewalling in Kubernetes!
Also a great tutorial to read on this.
ALL CHALLENGES AND TIPS
More on
https://killer.sh
Kubernetes Ckad Networking Docker
Discover Medium Make Medium yours Become a member

Welcome to a place where words matter. Follow all the topics you care about, and Get unlimited access to the best stories
On Medium, smart voices and original we’ll deliver the best stories for you to on Medium — and support writers while
ideas take center stage - with no ads in your homepage and inbox. Explore you’re at it. Just $5/month. Upgrade
sight. Watch
About Help Legal

Kubernetes CKAD Weekly Challenge #6 NetworkPolicy - FAUN - Medium

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kubernetes CKAD Weekly Challenge #6 NetworkPolicy - FAUN - Medium

Uploaded by

Copyright:

Available Formats

19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium

Kubernetes CKAD weekly challenge #6

ALL CHALLENGES AND TIPS

2. use only kubernetes.io/docs for help ONCE your cluster is correctly

You won’t be able to use deprecated kubectl commands in the real

Be fast with Kubectl ≥ 1.18

Todays scenario setup

Once the scenario is setup the challenge will start!

Get that good Kubernetes Cluster

use kubectl >= 1.18

gcloud container clusters create cluster-1 --enable-network-policy --

k config set-context YOUR_CONTEXT

I like to keep the cluster information we need running in a separate

watch "kubectl config current-context; echo ''; kubectl config view |

2. deployment api-deployment with 2 replicas, simple service running port

3. NodePort service nginx-service which exposes port 31111 on each node

4. ClusterIP service api-service to handle simple internal load balancing

This application communication isn’t implemented in the scenario (we only

Test default cluster connectivity

use kubectl >= 1.18

k exec nginx-deployment-12345678-12345 —- nc -zv www.google.de 80 #

Connection from nginx to api:

k exec nginx-deployment-12345678-12345 —- nc -zv api-service 3333 #

Connection from api to outer world:

k exec api-deployment-12345678-12345 —- nc -zv www.google.de 80 #

Connection from api to api:

k exec api-deployment-12345678-12345 —- nc -zv api-service 3333 #

Todays Task: NetworkPolicy

1. implement a NetworkPolicy for nginx pods to only allow egress to the

2. implement a NetworkPolicy for api pods to only allow ingress on port

3. implement a NetworkPolicy for api pods to only allow egress to (IP of

#1 NetworkPolicy for nginx pods to only allow egress to the internal

k exec nginx-deployment-57d6c8d759-knnsq -- nc -zv www.google.de 80 #

k exec nginx-deployment-57d6c8d759-knnsq -- nc -zv nginx-service 80 #

k exec nginx-deployment-57d6c8d759-knnsq -- nc -zv api-service 3333 #

#2 NetworkPolicy for api pods to only allow ingress on port 3333

Then test with by trying to connect from api to api:

k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv api-service 3333 #

k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv www.google.de 80 #

#3 NetworkPolicy for api pods to only allow egress to (IP of

no DNS selectors available for NetworkPolicies.

Let’s adjust the api-networkpolicy.yaml to include egress limitation:

k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv nginx-service 80 #

k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv api-service 3333 #

k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv 216.58.208.35 80 #

k exec api-deployment-7ff954cdcf-cfbl6 -- nc -zv 216.58.208.35 443 #

Also a great tutorial to read on this.

ALL CHALLENGES AND TIPS

Kubernetes Ckad Networking Docker

Discover Medium Make Medium yours Become a member

About Help Legal

You might also like