KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICO 

 1. Install and setup Docker in master and node

Refer step 1 in document

2. Setup kubernetes master

  • Login to the master and install kubelet, kubeadm and kubectl
  • Initialisekubeadm
  • Refer steps 2a, 2b, 2c in document

3. Setup Calico

Install calico with Kubernetes API datastore

  • Download the Calico networking manifest for the Kubernetes API datastore.
Copy to Clipboard
  • You can customize the manifest as necessary
  • Apply the manifest using the following command
Copy to Clipboard
  • Now check the pods on kube-system namespace where all the network components will be available.

Copy to Clipboard
  • After adding the network, add the node to the cluster using the join command(result of kubeadminit ). For example:

Copy to Clipboard
  • Now check the cluster for master and node

Copy to Clipboard

4. Creating a test environment

  • For testing, we are creating two nginx HTTP-Servers in two namespaces and block all traffic between the two namespaces. Which means you will not get any content from namespace1 if you are sitting in namespace2.
  • Setup the namespace with required resources.

# Create two namespaces

Copy to Clipboard
Copy to Clipboard

# Apply name labels to the newly created namespaces

Copy to Clipboard
Copy to Clipboard

# Create a standard HTTP web server

Copy to Clipboard
Copy to Clipboard

# Expose the port 80 for external access

Copy to Clipboard
Copy to Clipboard

# Check the components created in two namespaces.

Copy to Clipboard
Copy to Clipboard

5. Testing Phase 1 (Without network policy)

  • Get the IP of all pods using the following commands
Copy to Clipboard
Copy to Clipboard
  • Create a pod with curl preinstalled inside the namespace test1

Copy to Clipboard
  • Get the index.html from the nginx of the namespace “test1”

Copy to Clipboard
Copy to Clipboard

Both calls are done in a pod within namespace test1 and both nginx servers are always reachable, no matter in what namespace.

6. Testing Phase 2 (With network policy)

  • Inorder to isolate the namespace at network level, we have to apply network policy on both namespaces. A sample network policy is given below.
Copy to Clipboard
  • This policy will block the access from namespace2
  • Create a file networkpolicy-ns1.yaml and paste the above code.
Copy to Clipboard
  • To apply the policy on namespace1, run the following command

Copy to Clipboard
  • For namespace2, create another policy yaml

Copy to Clipboard
Copy to Clipboard
  • Now check the connectivity between the pods again.
  • Get the IP of all pods using the following commands
Copy to Clipboard
Copy to Clipboard
  • Create a pod with curl preinstalled inside the namespace test1

Copy to Clipboard
  • Get the index.html from the nginx of the namespace “test1”

Copy to Clipboard
Copy to Clipboard
  • After this, curl http://ip-nginx-pod.test2 shouldn’t work anymore.

 

Please find more networking policies on the below link.

https://docs.projectcalico.org/networking/determine-best-networking

About The Author

kubernetes namespace, CLOUDCONTROL

Ancy Paul

Cloud DevOps Engineer | Cloud Control

Cloud DevOps Engineer with 3+ years of experience in cloud infrastructure automation and management, supporting, automating, and optimizing deployments to hybrid cloud platforms using DevOps processes, and containers in both Production and Development environments