Kubernetes

KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICO

  • Login to the master and install kubelet, kubeadm and kubectl
  • Initialisekubeadm
  • Refer steps 2a, 2b, 2c in document
8 min read
KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICO

**KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICO **

** 1. **Install and setup Docker in master and node

Refer step 1 in document

2. Setup kubernetes master

  • Login to the master and install kubelet, kubeadm and kubectl
  • Initialisekubeadm
  • Refer steps 2a, 2b, 2c in document

3. Setup Calico

Install calico with Kubernetes API datastore

  • Download the Calico networking manifest for the Kubernetes API datastore.

.fusion-syntax-highlighter-52 > .CodeMirror, .fusion-syntax-highlighter-52 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-52 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-52 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ curl https://docs.projectcalico.org/manifests/calico.yaml -O

  • You can customize the manifest as necessary
  • Apply the manifest using the following command

.fusion-syntax-highlighter-53 > .CodeMirror, .fusion-syntax-highlighter-53 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-53 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-53 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl apply -f calico.yaml

Now check the pods on kube-system namespace where all the network components will be available.

.fusion-syntax-highlighter-54 > .CodeMirror, .fusion-syntax-highlighter-54 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-54 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-54 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl get pods -n=kube-system

After adding the network, add the node to the cluster using the join command(result of kubeadminit ). For example:

.fusion-syntax-highlighter-55 > .CodeMirror, .fusion-syntax-highlighter-55 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-55 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-55 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubeadm join XX.X.X.XXX:6443 -- token hdhjsnsnwwww –discovery-token-ca-cert-hash sha256:4d3e70e50a8b3ecfacc64585942b93564c9af555ab90c576c59e63def90245ac

Now check the cluster for master and node

.fusion-syntax-highlighter-56 > .CodeMirror, .fusion-syntax-highlighter-56 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-56 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-56 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl get nodes### 4. Creating a test environment

  • For testing, we are creating two nginx HTTP-Servers in two namespaces and block all traffic between the two namespaces. Which means you will not get any content from namespace1 if you are sitting in namespace2.
  • Setup the namespace with required resources.

# Create two namespaces

.fusion-syntax-highlighter-57 > .CodeMirror, .fusion-syntax-highlighter-57 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-57 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-57 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl create ns test1.fusion-syntax-highlighter-58 > .CodeMirror, .fusion-syntax-highlighter-58 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-58 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-58 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl create ns test2### # Apply name labels to the newly created namespaces .fusion-syntax-highlighter-59 > .CodeMirror, .fusion-syntax-highlighter-59 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-59 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-59 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl label ns test1 name=test1.fusion-syntax-highlighter-60 > .CodeMirror, .fusion-syntax-highlighter-60 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-60 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-60 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl label ns test2 name=test2### # Create a standard HTTP web server .fusion-syntax-highlighter-61 > .CodeMirror, .fusion-syntax-highlighter-61 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-61 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-61 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl create deployment nginx --image=nginx -n=test1.fusion-syntax-highlighter-62 > .CodeMirror, .fusion-syntax-highlighter-62 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-62 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-62 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl create deployment nginx --image=nginx -n=test2### # Expose the port 80 for external access .fusion-syntax-highlighter-63 > .CodeMirror, .fusion-syntax-highlighter-63 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-63 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-63 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl expose deployment nginx --port=80 --type=NodePort -n=test1.fusion-syntax-highlighter-64 > .CodeMirror, .fusion-syntax-highlighter-64 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-64 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-64 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl expose deployment nginx --port=80 --type=NodePort -n=test2### # Check the components created in two namespaces. .fusion-syntax-highlighter-65 > .CodeMirror, .fusion-syntax-highlighter-65 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-65 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-65 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl get all -n=test1.fusion-syntax-highlighter-66 > .CodeMirror, .fusion-syntax-highlighter-66 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-66 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-66 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl get all -n=test2### **5. **Testing Phase 1 (Without network policy)

  • Get the IP of all pods using the following commands

.fusion-syntax-highlighter-67 > .CodeMirror, .fusion-syntax-highlighter-67 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-67 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-67 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl get pods -o wide -n=test1.fusion-syntax-highlighter-68 > .CodeMirror, .fusion-syntax-highlighter-68 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-68 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-68 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl get pods -o wide -n=test2

Create a pod with curl preinstalled inside the namespace test1

.fusion-syntax-highlighter-69 > .CodeMirror, .fusion-syntax-highlighter-69 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-69 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-69 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl run -i --tty client0 --image=tutum/curl -n=test1

Get the index.html from the nginx of the namespace “test1”

.fusion-syntax-highlighter-70 > .CodeMirror, .fusion-syntax-highlighter-70 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-70 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-70 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ curl http://nginx-pod-ip-test1.fusion-syntax-highlighter-71 > .CodeMirror, .fusion-syntax-highlighter-71 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-71 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-71 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ curl http://nginx-pod-ip-test2Both calls are done in a pod within namespace test1 and both nginx servers are always reachable, no matter in what namespace.

6. Testing Phase 2 (With network policy)

  • Inorder to isolate the namespace at network level, we have to apply network policy on both namespaces. A sample network policy is given below.

.fusion-syntax-highlighter-72 > .CodeMirror, .fusion-syntax-highlighter-72 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-72 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-72 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax HighlighterapiVersion: crd.projectcalico.org/v1 kind: NetworkPolicy metadata: name: deny-namespaces spec: types:

  • Ingress
  • Egress ingress:
  • action: Allow protocol: TCP source: namespaceSelector: name == 'test1'
  • action: Allow protocol: TCP source: namespaceSelector: name == 'kube-system'
  • action: Allow protocol: TCP source: namespaceSelector: name == 'kube-public'
  • action: Allow protocol: TCP source: namespaceSelector: name == 'kube-node-lease' egress:
  • action: Allow
  • This policy will block the access from namespace2
  • Create a file networkpolicy-ns1.yaml and paste the above code.

.fusion-syntax-highlighter-73 > .CodeMirror, .fusion-syntax-highlighter-73 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-73 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-73 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ vim networkpolicy-ns1.yaml

To apply the policy on namespace1, run the following command

.fusion-syntax-highlighter-74 > .CodeMirror, .fusion-syntax-highlighter-74 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-74 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-74 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl create -f networkpolicy-ns1.yaml -n=test1

For namespace2, create another policy yaml

.fusion-syntax-highlighter-75 > .CodeMirror, .fusion-syntax-highlighter-75 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-75 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-75 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax HighlighterapiVersion: crd.projectcalico.org/v1 kind: NetworkPolicy metadata: name: deny-namespaces spec: types:

  • Ingress
  • Egress ingress:
  • action: Allow protocol: TCP source: namespaceSelector: name == 'test2'
  • action: Allow protocol: TCP source: namespaceSelector: name == 'kube-system'
  • action: Allow protocol: TCP source: namespaceSelector: name == 'kube-public'
  • action: Allow protocol: TCP source: namespaceSelector: name == 'kube-node-lease' egress:
  • action: Allow .fusion-syntax-highlighter-76 > .CodeMirror, .fusion-syntax-highlighter-76 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-76 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-76 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl create -f networkpolicy-ns2.yaml -n=test2
  • Now check the connectivity between the pods again.
  • Get the IP of all pods using the following commands

.fusion-syntax-highlighter-77 > .CodeMirror, .fusion-syntax-highlighter-77 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-77 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-77 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl get pods -o wide -n=test1.fusion-syntax-highlighter-78 > .CodeMirror, .fusion-syntax-highlighter-78 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-78 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-78 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl get pods -o wide -n=test2

Create a pod with curl preinstalled inside the namespace test1

.fusion-syntax-highlighter-79 > .CodeMirror, .fusion-syntax-highlighter-79 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-79 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-79 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ kubectl run -i --tty client1 --image=tutum/curl -n=test1

Get the index.html from the nginx of the namespace “test1”

.fusion-syntax-highlighter-80 > .CodeMirror, .fusion-syntax-highlighter-80 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-80 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-80 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ curl http://nginx-pod-ip-test1.fusion-syntax-highlighter-81 > .CodeMirror, .fusion-syntax-highlighter-81 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-81 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-81 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }Copy to ClipboardSyntax Highlighter$ curl http://nginx-pod-ip-test2

** **

Please find more networking policies on the below link.

https://docs.projectcalico.org/networking/determine-best-networking

About The Author*### Ancy Paul### Cloud DevOps Engineer | Cloud Control

Cloud DevOps Engineer with 3+ years of experience in cloud infrastructure automation and management, supporting, automating, and optimizing deployments to hybrid cloud platforms using DevOps processes, and containers in both Production and Development environments

KUBERNETES- * On Linked-In