KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICO

KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICO 

 1. Install and setup Docker in master and node

Refer step 1 in document

2. Setup kubernetes master

• Login to the master and install kubelet, kubeadm and kubectl
• Initialisekubeadm
• Refer steps 2a, 2b, 2c in document

3. Setup Calico

Install calico with Kubernetes API datastore

• Download the Calico networking manifest for the Kubernetes API datastore.

• You can customize the manifest as necessary
• Apply the manifest using the following command

• Now check the pods on kube-system namespace where all the network components will be available.

• After adding the network, add the node to the cluster using the join command(result of kubeadminit ). For example:

• Now check the cluster for master and node

4. Creating a test environment

• For testing, we are creating two nginx HTTP-Servers in two namespaces and block all traffic between the two namespaces. Which means you will not get any content from namespace1 if you are sitting in namespace2.
• Setup the namespace with required resources.

# Create two namespaces

# Apply name labels to the newly created namespaces

# Create a standard HTTP web server

# Expose the port 80 for external access

# Check the components created in two namespaces.

5. Testing Phase 1 (Without network policy)

• Get the IP of all pods using the following commands

• Create a pod with curl preinstalled inside the namespace test1

• Get the index.html from the nginx of the namespace “test1”

Both calls are done in a pod within namespace test1 and both nginx servers are always reachable, no matter in what namespace.

6. Testing Phase 2 (With network policy)

• Inorder to isolate the namespace at network level, we have to apply network policy on both namespaces. A sample network policy is given below.

• This policy will block the access from namespace2
• Create a file networkpolicy-ns1.yaml and paste the above code.

• To apply the policy on namespace1, run the following command

• For namespace2, create another policy yaml

• Now check the connectivity between the pods again.
• Get the IP of all pods using the following commands

• Create a pod with curl preinstalled inside the namespace test1

• Get the index.html from the nginx of the namespace “test1”

• After this, curl http://ip-nginx-pod.test2 shouldn’t work anymore.

Please find more networking policies on the below link.

https://docs.projectcalico.org/networking/determine-best-networking

Cloud DevOps Engineer | Cloud Control

Cloud DevOps Engineer with 3+ years of experience in cloud infrastructure automation and management, supporting, automating, and optimizing deployments to hybrid cloud platforms using DevOps processes, and containers in both Production and Development environments