Lab: Kubernetes Network Policy: # Kubectl Run Web-01 - Image Nginx - Labels App Web

Lab: Kubernetes network policy
Introduction:
Kubernetes network policy lets administrators and developers enforce which network traffic is
allowed using rules
In this Lab, you will learn below items:
Objective:
• Create a network policy which DENY all traffic to an application

• Create a network policy which LIMIT traffic to an application
• Create a network policy which ALLOW all traffic to an application
• Create a network policy which DENY all non-whitelisted traffic to a namespace
• Create a network policy which DENY all traffic from other namespaces
• Create a network policy which ALLOW traffic to an application from all namespaces
• Create a network policy which ALLOW traffic from some pods in another namespace
Note: Ensure you have running cluster deployed

1 Ensure that you have logged-in as root user with password as linux on kube-master node.
2 DENY all traffic to an application
2.1 Let us create a nginx Pod with labels app=web and expose it at port 80:
# kubectl run web-01 --image nginx --labels app=web
Output:
# kubectl expose pod web-01 --name=demo-service --labels

app=web --port=80
Output:
2.2 Let us run a temporary Pod and make a request to demo-service:

# kubectl run --rm -i -t --image=busybox:1.28.0 test-
$RANDOM -- sh
Output:
Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
# wget -qO- http://demo-service
Output:
Note: From the above output it confirms access to the web-server application

2.3 Let us create NetworkPolicy that does not allow any ingress traffic to the pods having a
labels app=web.
# cat > web-deny.yaml << EOF

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: web-deny-all
spec:
podSelector:
matchLabels:
app: web
ingress: []
EOF
# kubectl apply -f web-deny.yaml

Output:
2.4 Let us list the network policies created
# kubectl get netpol

Output:
# kubectl describe networkpolicies.networking.k8s.io web -

deny-all
Output:

2.5 let test again to verify the network policy
# kubectl run --rm -i -t --image=busybox:1.28.0 test-

$RANDOM -- sh
Output:
Type exit to comeout from the shell

2.6 Cleanup:
# kubectl delete pod web-01
# kubectl delete service demo-service
# kubectl delete networkpolicy web-deny-all
Output:
3 LIMIT traffic to an application

3.1 Suppose your application is a REST API server, marked with labels app=bookstore and
role=api:
# kubectl run apiserver --image=nginx --labels

app=bookstore,role=api --expose --port 80
Output:

Note: By using above command bot pod and service are created.
3.2 Let us Create Networking Policies allowing traffic from only certain Pods by specifying
labels
# cat > api-allow.yaml<<EOF
kind: NetworkPolicy
metadata:
name: api-allow
spec:
podSelector:
matchLabels:
app: bookstore
role: api
ingress:
- from:
- podSelector:
matchLabels:
app: bookstore
EOF
# kubectl apply -f api-allow.yaml

Output:

Output:

# kubectl describe netpol api-allow
Output:
3.3 Let us test the Network Policy is blocking the traffic, by running a Pod without the
app=bookstore label
# kubectl run --rm -i -t --image=alpine test-$RANDOM –-

sh
# wget -qO- --timeout=2 http://apiserver
Output:
Note: Traffic is blocked!
# kubectl run test-$RANDOM --rm -i -t --image=alpine --

labels app=bookstore – sh
Output:

Type exit to come out from the shell
Note: Traffic is allowed

labels role=api -- sh
Output:

Cleanup
# kubectl delete pod apiserver
# kubectl delete service apiserver
# kubectl delete networkpolicy api-allow
Output:
4 ALLOW all traffic to an application
Use Case: After applying a deny-all policy which blocks all non-whitelisted traffic to the
application, now you have to allow access to an application from all pods in the current
namespace.
4.1 Let us create a pod and service in a default namespace
# kubectl run web --image=nginx --labels=app=web --expose

--port 80
Output:

4.2 Let us create NetworkPolicy that allow all ingress traffic to the pods having a labels
app=web.
# cat > web-allow.yaml << EOF

kind: NetworkPolicy
metadata:
name: web-allow-all
namespace: default
spec:
podSelector:
matchLabels:
app: web
ingress:
- {}
EOF
# kubectl apply -f web-allow.yaml

Output:
4.3 Let us list the network policies created

Output:
# kubectl describe networkpolicies.networking.k8s.io

allow-all
Output:

4.4 let test again to verify the network policy
# kubectl run test-$RANDOM --rm -i -t --image=alpine -–

sh
Output:
Type: exit
Traffic is allowed.

# kubectl delete pod,service web
# kubectl delete networkpolicy web-allow-all
Output:
5 DENY all non-whitelisted traffic to a namespace
Use Case: This is a fundamental policy, blocking all cross-pod networking other than the ones
whitelisted via the other Network Policies you deploy
cat > default-deny-all << EOF

kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: default
spec:
podSelector: {}
ingress: []
EOF
# kubectl apply -f default-deny-all

Output:
# kubectl run nginx --image=nginx --expose --port=80

Output:

# kubectl run test-$RANDOM --rm -i -t --image=alpine –
sh
# wget -qO- --timeout=2 http://nginx
Output:
Note:Type exit
Cleanup
# kubectl delete pod,service nginx
# kubectl delete networkpolicy default-deny-all
Output:
6 ALLOW all traffic from a namespace

6.1 This policy is similar to allowing traffic from all namespaces but shows how you can
choose particular namespaces.
6.2 Run a web server in the default namespace:
--port 80
Output:

6.3 Create the prod and dev namespaces with different labels
# kubectl create namespace dev

Output:
# kubectl label namespace/dev purpose=testing

Output:
# kubectl create namespace prod

Output:
# kubectl label namespace/prod purpose=production

Output:

6.4 The following manifest restricts traffic to only pods in namespaces that has label
purpose=production. Save it to web-allow-prod.yaml and apply to the cluster:
# cat > allow-traffic-specific-namespace.yaml << EOF

kind: NetworkPolicy
metadata:
name: web-allow-prod
spec:
podSelector:
matchLabels:
app: web
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: production
EOF
Let us apply it to cluster

# kubectl apply -f allow-traffic-specific-namespace.yaml
Output:
Query this web server from dev namespace, observe it is blocked:
# kubectl run test-$RANDOM --namespace=dev --rm -i -t --

image=alpine -- sh
# wget -qO- --timeout=2 http://web.default
Output:

Query it from prod namespace, observe it is allowed:
# kubectl run test-$RANDOM --namespace=prod --rm -i -t --

image=alpine -- sh
Output:
Cleanup
# kubectl delete networkpolicy web-allow-prod
# kubectl delete pod web
# kubectl delete service web
# kubectl delete namespace {prod,dev}

7 ALLOW traffic from some pods in another namespace
Start a web application:
--port 80
Output:
Create a other namespace and label it:

# kubectl create namespace other
# kubectl label namespace/other team=operations
Output:

The following manifest restricts traffic to only pods with label type=monitoring in namespaces
labelled team=operations. Save it to web-allow-all-ns-monitoring.yaml and apply to the
cluster:
# cat > web-allow-all-ns-monitoring.yaml << EOF

kind: NetworkPolicy
metadata:
name: web-allow-all-ns-monitoring
namespace: default
spec:
podSelector:
matchLabels:
app: web
ingress:
- from:
- namespaceSelector:
matchLabels:
team: operations
podSelector:
matchLabels:
type: monitoring
EOF
Let us apply to the cluster
# kubectl apply -f web-allow-all-ns-monitoring.yaml
Output:

Let us verify the web server from default namespace, without labelling the application
type=monitoring, observe it is blocked:

sh
Output:
Let us verify the web server from other namespace, without labelling the application
type=monitoring, observe it is blocked:
# kubectl run test-$RANDOM --namespace=other --rm -i -t -

-image=alpine -- sh
Output:
Let us verify the web server from other namespace, labelling the application type=monitoring,
observe it is allowed:
# kubectl run test-$RANDOM --namespace=other --labels

type=monitoring --rm -i -t --image=alpine -- sh
Output:

# kubectl delete networkpolicy web-allow-all-ns-
monitoring
# kubectl delete namespace other
# kubectl delete pod web
# kubectl delete service web


Lab: Kubernetes Network Policy: # Kubectl Run Web-01 - Image Nginx - Labels App Web

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab: Kubernetes Network Policy: # Kubectl Run Web-01 - Image Nginx - Labels App Web

Uploaded by

Copyright:

Available Formats

Lab: Kubernetes network policy

In this Lab, you will learn below items:

• Create a network policy which DENY all traffic to an application

Note: Ensure you have running cluster deployed

# kubectl expose pod web-01 --name=demo-service --labels

2.2 Let us run a temporary Pod and make a request to demo-service:

Student Material – Do Not Re-distribute. For any queries contact:

Student Material – Do Not Re-distribute. For any queries contact:

# cat > web-deny.yaml << EOF

# kubectl apply -f web-deny.yaml

2.4 Let us list the network policies created

# kubectl get netpol

# kubectl describe networkpolicies.networking.k8s.io web -

Student Material – Do Not Re-distribute. For any queries contact:

# kubectl run --rm -i -t --image=busybox:1.28.0 test-

Type exit to comeout from the shell

3 LIMIT traffic to an application

# kubectl run apiserver --image=nginx --labels

Student Material – Do Not Re-distribute. For any queries contact:

# kubectl apply -f api-allow.yaml

# kubectl get netpol

Student Material – Do Not Re-distribute. For any queries contact:

# kubectl run --rm -i -t --image=alpine test-$RANDOM –-

# wget -qO- --timeout=2 http://apiserver

Type exit to comeout from the shell

Note: Traffic is blocked!

# kubectl run test-$RANDOM --rm -i -t --image=alpine --

Student Material – Do Not Re-distribute. For any queries contact:

# kubectl run test-$RANDOM --rm -i -t --image=alpine --

Type exit to comeout from the shell

Student Material – Do Not Re-distribute. For any queries contact:

4 ALLOW all traffic to an application

4.1 Let us create a pod and service in a default namespace

# kubectl run web --image=nginx --labels=app=web --expose

Student Material – Do Not Re-distribute. For any queries contact:

# cat > web-allow.yaml << EOF

# kubectl apply -f web-allow.yaml

4.3 Let us list the network policies created

# kubectl get netpol

# kubectl describe networkpolicies.networking.k8s.io

Student Material – Do Not Re-distribute. For any queries contact:

# kubectl run test-$RANDOM --rm -i -t --image=alpine -–

Student Material – Do Not Re-distribute. For any queries contact:

5 DENY all non-whitelisted traffic to a namespace

cat > default-deny-all << EOF

# kubectl apply -f default-deny-all

# kubectl run nginx --image=nginx --expose --port=80

Student Material – Do Not Re-distribute. For any queries contact:

6 ALLOW all traffic from a namespace

Student Material – Do Not Re-distribute. For any queries contact:

# kubectl create namespace dev

# kubectl label namespace/dev purpose=testing

# kubectl create namespace prod

# kubectl label namespace/prod purpose=production

Student Material – Do Not Re-distribute. For any queries contact:

# cat > allow-traffic-specific-namespace.yaml << EOF

Let us apply it to cluster

Query this web server from dev namespace, observe it is blocked:

# kubectl run test-$RANDOM --namespace=dev --rm -i -t --

Student Material – Do Not Re-distribute. For any queries contact:

# kubectl run test-$RANDOM --namespace=prod --rm -i -t --

Student Material – Do Not Re-distribute. For any queries contact:

Create a other namespace and label it: