KUBERNETES NAMESPACE ISOLATION AT THE NETWORK LEVEL WITH CALICOÂ
 1. Install and setup Docker in master and node
Refer step 1 in document
2. Setup kubernetes master
- Login to the master and install kubelet, kubeadm and kubectl
- Initialisekubeadm
- Refer steps 2a, 2b, 2c in document
3. Setup Calico
Install calico with Kubernetes API datastore
- Download the Calico networking manifest for the Kubernetes API datastore.
Copy to Clipboard
- You can customize the manifest as necessary
- Apply the manifest using the following command
Copy to Clipboard
-
Now check the pods on kube-system namespace where all the network components will be available.
Copy to Clipboard
-
After adding the network, add the node to the cluster using the join command(result of kubeadminit ). For example:
Copy to Clipboard
-
Now check the cluster for master and node
Copy to Clipboard
4. Creating a test environment
- For testing, we are creating two nginx HTTP-Servers in two namespaces and block all traffic between the two namespaces. Which means you will not get any content from namespace1 if you are sitting in namespace2.
- Setup the namespace with required resources.
# Create two namespaces
Copy to Clipboard
Copy to Clipboard
# Apply name labels to the newly created namespaces
Copy to Clipboard
Copy to Clipboard
# Create a standard HTTP web server
Copy to Clipboard
Copy to Clipboard
# Expose the port 80 for external access
Copy to Clipboard
Copy to Clipboard
# Check the components created in two namespaces.
Copy to Clipboard
Copy to Clipboard
5. Testing Phase 1 (Without network policy)
- Get the IP of all pods using the following commands
Copy to Clipboard
Copy to Clipboard
-
Create a pod with curl preinstalled inside the namespace test1
Copy to Clipboard
-
Get the index.html from the nginx of the namespace “test1”
Copy to Clipboard
Copy to Clipboard
Both calls are done in a pod within namespace test1 and both nginx servers are always reachable, no matter in what namespace.
6. Testing Phase 2 (With network policy)
- Inorder to isolate the namespace at network level, we have to apply network policy on both namespaces. A sample network policy is given below.
Copy to Clipboard
- This policy will block the access from namespace2
- Create a file networkpolicy-ns1.yaml and paste the above code.
Copy to Clipboard
-
To apply the policy on namespace1, run the following command
Copy to Clipboard
-
For namespace2, create another policy yaml
Copy to Clipboard
Copy to Clipboard
- Now check the connectivity between the pods again.
- Get the IP of all pods using the following commands
Copy to Clipboard
Copy to Clipboard
-
Create a pod with curl preinstalled inside the namespace test1
Copy to Clipboard
-
Get the index.html from the nginx of the namespace “test1”
Copy to Clipboard
Copy to Clipboard
- After this, curl http://ip-nginx-pod.test2 shouldn’t work anymore.
Â
Please find more networking policies on the below link.
https://docs.projectcalico.org/networking/determine-best-networking
About The Author
Ancy Paul
Cloud DevOps Engineer | Cloud Control
Cloud DevOps Engineer with 3+ years of experience in cloud infrastructure automation and management, supporting, automating, and optimizing deployments to hybrid cloud platforms using DevOps processes, and containers in both Production and Development environments