KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICO 

 1. Install and setup Docker in master and node

Refer step 1 in document

2. Setup kubernetes master

  • Login to the master and install kubelet, kubeadm and kubectl
  • Initialisekubeadm
  • Refer steps 2a, 2b, 2c in document

3. Setup Calico

Install calico with Kubernetes API datastore

  • Download the Calico networking manifest for the Kubernetes API datastore.
Copy to Clipboard
  • You can customize the manifest as necessary
  • Apply the manifest using the following command
Copy to Clipboard
  • Now check the pods on kube-system namespace where all the network components will be available.

Copy to Clipboard
  • After adding the network, add the node to the cluster using the join command(result of kubeadminit ). For example:

Copy to Clipboard
  • Now check the cluster for master and node

Copy to Clipboard

4. Creating a test environment

  • For testing, we are creating two nginx HTTP-Servers in two namespaces and block all traffic between the two namespaces. Which means you will not get any content from namespace1 if you are sitting in namespace2.
  • Setup the namespace with required resources.

# Create two namespaces

Copy to Clipboard
Copy to Clipboard

# Apply name labels to the newly created namespaces

Copy to Clipboard
Copy to Clipboard

# Create a standard HTTP web server

Copy to Clipboard
Copy to Clipboard

# Expose the port 80 for external access

Copy to Clipboard
Copy to Clipboard

# Check the components created in two namespaces.

Copy to Clipboard
Copy to Clipboard

5. Testing Phase 1 (Without network policy)

  • Get the IP of all pods using the following commands
Copy to Clipboard
Copy to Clipboard
  • Create a pod with curl preinstalled inside the namespace test1

Copy to Clipboard
  • Get the index.html from the nginx of the namespace “test1”

Copy to Clipboard
Copy to Clipboard

Both calls are done in a pod within namespace test1 and both nginx servers are always reachable, no matter in what namespace.

6. Testing Phase 2 (With network policy)

  • Inorder to isolate the namespace at network level, we have to apply network policy on both namespaces. A sample network policy is given below.
Copy to Clipboard
  • This policy will block the access from namespace2
  • Create a file networkpolicy-ns1.yaml and paste the above code.
Copy to Clipboard
  • To apply the policy on namespace1, run the following command

Copy to Clipboard
  • For namespace2, create another policy yaml

Copy to Clipboard
Copy to Clipboard
  • Now check the connectivity between the pods again.
  • Get the IP of all pods using the following commands
Copy to Clipboard
Copy to Clipboard
  • Create a pod with curl preinstalled inside the namespace test1

Copy to Clipboard
  • Get the index.html from the nginx of the namespace “test1”

Copy to Clipboard
Copy to Clipboard
  • After this, curl http://ip-nginx-pod.test2 shouldn’t work anymore.

 

Please find more networking policies on the below link.

https://docs.projectcalico.org/networking/determine-best-networking

About The Author

Ancy Paul

Cloud DevOps Engineer | Cloud Control

Cloud DevOps Engineer with 3+ years of experience in cloud infrastructure automation and management, supporting, automating, and optimizing deployments to hybrid cloud platforms using DevOps processes, and containers in both Production and Development environments

About Cloud Control

Cloud Control simplifies cloud management with AppZ, DataZ, and ManageZ, optimizing operations, enhancing security, and accelerating time-to-market. We help businesses achieve cloud goals efficiently and reliably.

2024
GITEX
14-18 October

Dubai, UAE