Professional Documents
Culture Documents
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 1/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
Rules!
1. be fast, avoid creating yaml manually from scratch
3. check my solution after you did yours. You probably have a better one ;)
Notices
This challenge was tested on k8s 1.18. Please let us know should you
encounter any issues
alias k=kubectl
k config get-contexts
k get all
Set it up
Today we will work with a given scenario:
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 3/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
wget https://raw.githubusercontent.com/wuestkamp/k8s-
challenges/master/6/scenario.yaml
k create -f scenario.yaml
The objects
1. deployment nginx-deployment with 5 replicas, nginx on port 80
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 4/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
Let’s imagine the nginx instances do communicate with the api instances,
and the api instances communicate with google.com:443.
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 5/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
alias k=kubectl
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 6/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 7/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
My Solution
I did copy examples from https://kubernetes.io/docs/concepts/services-
networking/network-policies and adjusted those.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: nginx-network-policy
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 8/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: api
ports:
- port: 3333
protocol: TCP
- to:
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
Followed by:
alias k=kubectl
k -f nginx-networkpolicy.yaml create
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 9/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-network-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: nginx
ports:
- port: 3333
protocol: TCP
k -f api-networkpolicy.yaml create
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 10/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-network-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Egress
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 11/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
app: nginx
ports:
- port: 3333
protocol: TCP
egress:
- to:
- ipBlock:
cidr: 216.58.208.35/32
ports:
- port: 443
protocol: TCP
- to:
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
Then we run:
k -f api-networkpolicy.yaml apply
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 12/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
Recap
Well, I spent most time finding out that K8s clusters don’t have
NetworkPolicies enabled by default ;) But then I definitely learned the
power of manual firewalling in Kubernetes!
More on
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 13/14
19/05/2020 Kubernetes CKAD weekly challenge #6 NetworkPolicy - FAUN - Medium
https://killer.sh
https://medium.com/faun/kubernetes-ckad-weekly-challenge-6-networkpolicy-6cc1d390f289 14/14