KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICO
1. Install and setup Docker in master and node
Refer step 1 in document
2. Setup kubernetes master
- Login to the master and install kubelet, kubeadm and kubectl
- Initialisekubeadm
- Refer steps 2a, 2b, 2c in document
3. Setup Calico
Install calico with Kubernetes API datastore
- Download the Calico networking manifest for the Kubernetes API datastore.
Copy to Clipboard
- You can customize the manifest as necessary
- Apply the manifest using the following command
Copy to Clipboard
Now check the pods on kube-system namespace where all the network components will be available.
Copy to Clipboard
After adding the network, add the node to the cluster using the join command(result of kubeadminit ). For example:
Copy to Clipboard
Now check the cluster for master and node
Copy to Clipboard
4. Creating a test environment
- For testing, we are creating two nginx HTTP-Servers in two namespaces and block all traffic between the two namespaces. Which means you will not get any content from namespace1 if you are sitting in namespace2.
- Setup the namespace with required resources.
# Create two namespaces
Copy to Clipboard
Copy to Clipboard
# Apply name labels to the newly created namespaces
Copy to Clipboard
Copy to Clipboard
# Create a standard HTTP web server
Copy to Clipboard
Copy to Clipboard
# Expose the port 80 for external access
Copy to Clipboard
Copy to Clipboard
# Check the components created in two namespaces.
Copy to Clipboard
Copy to Clipboard
5. Testing Phase 1 (Without network policy)
- Get the IP of all pods using the following commands
Copy to Clipboard
Copy to Clipboard
Create a pod with curl preinstalled inside the namespace test1
Copy to Clipboard
Get the index.html from the nginx of the namespace “test1”
Copy to Clipboard
Copy to Clipboard
Both calls are done in a pod within namespace test1 and both nginx servers are always reachable, no matter in what namespace.
6. Testing Phase 2 (With network policy)
- Inorder to isolate the namespace at network level, we have to apply network policy on both namespaces. A sample network policy is given below.
Copy to Clipboard
- This policy will block the access from namespace2
- Create a file networkpolicy-ns1.yaml and paste the above code.
Copy to Clipboard
To apply the policy on namespace1, run the following command
Copy to Clipboard
For namespace2, create another policy yaml
Copy to Clipboard
Copy to Clipboard
- Now check the connectivity between the pods again.
- Get the IP of all pods using the following commands
Copy to Clipboard
Copy to Clipboard
Create a pod with curl preinstalled inside the namespace test1
Copy to Clipboard
Get the index.html from the nginx of the namespace “test1”
Copy to Clipboard
Copy to Clipboard
- After this, curl http://ip-nginx-pod.test2 shouldn’t work anymore.
Please find more networking policies on the below link.
https://docs.projectcalico.org/networking/determine-best-networking
About The Author
Ancy Paul
Cloud DevOps Engineer | Cloud Control
Cloud DevOps Engineer with 3+ years of experience in cloud infrastructure automation and management, supporting, automating, and optimizing deployments to hybrid cloud platforms using DevOps processes, and containers in both Production and Development environments