KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICO
1. Install and setup Docker in master and node
Refer step 1 in document
2. Setup kubernetes master
- Login to the master and install kubelet, kubeadm and kubectl
- Initialisekubeadm
- Refer steps 2a, 2b, 2c in document
3. Setup Calico
Install calico with Kubernetes API datastore
- Download the Calico networking manifest for the Kubernetes API datastore.
- You can customize the manifest as necessary
- Apply the manifest using the following command
- Now check the pods on kube-system namespace where all the network components will be available.
- After adding the network, add the node to the cluster using the join command(result of kubeadminit ). For example:
- Now check the cluster for master and node
4. Creating a test environment
- For testing, we are creating two nginx HTTP-Servers in two namespaces and block all traffic between the two namespaces. Which means you will not get any content from namespace1 if you are sitting in namespace2.
- Setup the namespace with required resources.
# Create two namespaces
# Apply name labels to the newly created namespaces
# Create a standard HTTP web server
# Expose the port 80 for external access
# Check the components created in two namespaces.
5. Testing Phase 1 (Without network policy)
- Get the IP of all pods using the following commands
- Create a pod with curl preinstalled inside the namespace test1
- Get the index.html from the nginx of the namespace “test1”
Both calls are done in a pod within namespace test1 and both nginx servers are always reachable, no matter in what namespace.
6. Testing Phase 2 (With network policy)
- Inorder to isolate the namespace at network level, we have to apply network policy on both namespaces. A sample network policy is given below.
- This policy will block the access from namespace2
- Create a file networkpolicy-ns1.yaml and paste the above code.
- To apply the policy on namespace1, run the following command
- For namespace2, create another policy yaml
- Now check the connectivity between the pods again.
- Get the IP of all pods using the following commands
- Create a pod with curl preinstalled inside the namespace test1
- Get the index.html from the nginx of the namespace “test1”
- After this, curl http://ip-nginx-pod.test2 shouldn’t work anymore.
Please find more networking policies on the below link.
https://docs.projectcalico.org/networking/determine-best-networking
About The Author
About The Author

ANCY PAUL
Cloud DevOps Engineer | Cloud Control
Cloud DevOps Engineer with 3+ years of experience in cloud infrastructure automation and management, supporting, automating, and optimizing deployments to hybrid cloud platforms using DevOps processes, and containers in both Production and Development environments