26-10-2022 Belgium Kubernetes and Cloudnative Meetup

Kubernetes native network security policies

These labs require a K8S cluster with Cilium or Calico CNI installed. For a quickstart, check out: https://learn.microsoft.com/en-gb/azure/aks/azure-cni-powered-by-cilium For overlay mode, also complete and read https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay.

Setting up a lab environment

kubectl create ns prod-nginx
kubectl create ns dev-nginx
kubectl create ns myhackns

kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: prod-nginx
  labels:
    app: nginx-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
        env: prod
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
EOF

Check connectivity

For the sake of simplicity, open a second terminal

Inside the pod (you can keep it open, because network policies are applied on running pods)

Network policies

Default-deny

Apply a default-deny all policy

Check connectivity

DNS egress

Fix the DNS resolving If required (depending on cluster initialisation) label the kube-system namespace

HTTP ingress (server-side)

Enable access on port 80

Check connectivity

HTTP egress (client-side)

HTTP ingress different namespace (client-side)

Connectivity form a different namespace ...

or

Additional examples

Fix access from dev-nginx namespace

Advanced: Cilium cluster wide network policy example

In an other terminal

Retun to the pod

Cleanup