Skip to content

Instantly share code, notes, and snippets.

@joshrosso

joshrosso/calico.md

Last active August 30, 2017 04:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save joshrosso/33d8e6f0d090ccb8af72e4ee8596d6c6 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save joshrosso/33d8e6f0d090ccb8af72e4ee8596d6c6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
calico.md

These are my notes testing:

  • Calico on Tectonic
  • New (and undocumented) SystemNetworkPolicy TPR introduced in calico-lib
  1. Clone the repo containing the Calico additions and switch to the appropriate branch.
$ git clone abhinavdahiya [email protected]:abhinavdahiya/tectonic-installer.git &&\
   cd tectonic-installer &&\
   git checkout calico_policy_support
  1. Create the tf vars for the specific platform
$ PLATFORM=aws CLUSTER=calico make localconfig
  1. Configure the tfvars
$ vim build/calico/terraform.tfvars
  1. Apply the config (plan first if preferred)
$ PLATFORM=aws CLUSTER=calico make apply
  1. Create namespace
$ kubectl create ns policy-demo
  1. Set default rule to disallow all ingress to pods in namespace.
kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
  name: default-deny
  namespace: policy-demo
spec:
  podSelector:
EOF
  1. In the namespace policy-demo, disallow all egress traffic, unless the egress traffic's destination is in the namespace policy-demo. In other words, pods running in policy-demo may only send traffic to other pods in policy-demo. Note the SNP must be created in kube-system, otherwise felix will not enforce it.
apiVersion: "alpha.projectcalico.org/v1"
kind: SystemNetworkPolicy
metadata:
  name: ns-egress
  namespace: kube-system
spec:
  selector: calico/k8s_ns == 'policy-demo'
  order: 500
  egress:
  - action: deny
    destination:
      notSelector: calico/k8s_ns == 'policy-demo'
  1. Allow pods with the label run=nginx inside of namespace policy-demo to accept traffic on port 80 from pods labeled run=access inside of namespace policy-demo. Note the SNP must be created in kube-system, otherwise felix will not enforce it.
apiVersion: "alpha.projectcalico.org/v1"
kind: SystemNetworkPolicy
metadata:
  name: policy-demo-app-class
  namespace: kube-system
spec:
  order: 0
  selector: calico/k8s_ns == 'policy-demo'
  ingress:
  - action: allow
    protocol: tcp
    source:
      selector: calico/k8s_ns == 'policy-demo' && run == 'access'
    destination:
      selector: calico/k8s_ns == 'policy-demo' && run == 'nginx'
      ports: [80]
  1. Run nginx
kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx &&\
kubectl expose --namespace=policy-demo deployment nginx --port=80
  1. Run busybox
kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh

  1. Call the cluster-ip of the nginx service, observe traffic is now routeable.

  2. Remove the above policies 1 by 1 to verify access is removed. (ie be sure to start another busy box and test that the policy you removed has not restricted access).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment