Day 27 - Kubernetes - Network Policy (like Security group in aws) 3-03-2021

 
Kubernetes - Network Policy (like Security group in aws) 3-03-2021

Class - Note

ingress/inbound rule -> when in coming package pass through the firewall to your internal network.

POD IP always change. Increase/decrease and IP frequesntly changes.

if you set a rule to particular IP, and pod changes and ip changes, then it will not work.

POD -> label
    app=web

POD to POD connection
pod  -> Firewall  ->  POD

app=web    -> selecctor --> app=web => destination -> .10.30
will be able to connect


if you want any application that you put inside POD,
- either client going to connect or
- other pod going to connect

Client ---------> POD (App)
POD    ---------> POD (app)

Kubernetes know all pod by their label.

anyone comes from this label, allow access.


we have worker nodes and they have multiple PODS

w1        w2        w3
- p1        - p21        - p31
- p12        - p22        - p32
- p13        - p23        - p33
....        .....        .....

overlay network -> flunnel

try to implement a set up
launch a node aws cloud
- one in on-prem
- one worker on azure

try to put one server somewhere,
and connect ..


flannel package / agent
help to send the package from one pod to anther because of overlay network

flannel has capabity to control (filter/firewalling) the package?
filter
- allow
- drop

No or I don't know how to control package.
thats why we have to change from flunnel to something else or add some plugins.

go to google and search for  "cni plugins"

there are lots of plugins available

There is a plugin called calic0 which support network policy

There is another one wweave net
- Supports network and networking policy


> ssh -i mykey ssh -l ech-user 53.56.45.123

Follow the doc to quickly create

# kadm init --pod-network-cidr=10/16 .......


1. Launch new node
> ssh -i sshky -l ec20=-sue 109.128.200.21


get kubeadm
and join the master
# kadmin joing .....


connect to another node and join
# kubeadm joing 1..... --node-name node2

At master
# kc get nodes
# kc get po -n kube-system

coredns is running

download weave

go to the section
integrationg kubernetes via the addon

installation: one comand

#

launch with daemonset


# kc apply -f "https://clod.weave.works/.."

# kc get nodes
# kc get po -n kube-system

there is no concept of network plugins
but they have network policy


@master node
# ps -aux | grep -i kubelet

kubelet decides that you are using network-plugin

kubelet behind the scene use one config file

# cd /etc/cni/net.d

there are cni plug-ins availabel
all network related config go here.


There is a conf file
10-weave.conflist

# cat 10-weave.conflist

plug-ins are like a program come with features.

All network related command go here
# cd /opt/cni/bin; ls

vlan, firewall go here..

in flannel -> every system they launch dhcp like feature which allow IP to POD.

so, technically, if you want to manage the addresses, or provide IP, you can use
- dncp server (managers ip to server,pod)
- IPM - IP address management.

IMP does kind of same like dncp but simpler.

# ps -ef | grep weave

you see weaver
Allocated
- network range
- IP range

weave -> network policy is running


# kc create deployment myd --image=vimal13/apache-webserver-php --replicas=3

# kc get deploy

Expose
# kc expose myd --port=80 --type=NodePort

who knows IP can connect

# kc get pod
# kc get deploy
# kc get svc

<CLusterID>:32514
You can connect

now, apply the policy

# kc get networkpolicy

there is no policy for network policy

Lets create a network policy
- resource network policy

See if there is command
# kc create -h

look for network policy -> nothing found
so we have to create a yaml file

mynetwor-policy.yaml
# cat mynp.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myfirewall    # name of my firewall


# kc create -f mynp.yaml

now go to your web browser and refresh the page
<CLusterID>:32514

you don't have connectivity

as soon as you put the firewall, all the traffic from anywhere to anywhere, anyport is denied.

explicit policy is to deny all.

if you don't create any policy or rule, it will deny everything.

least previledge

# kc describe networkpolicy myfirewall

Lets say we want to allow
I want any traffic come in, allow

# cat mynp.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myfirewall

spec:
policyType:
  - ingress


two policy types
-

pod running -> anyone from outside can connect/drop
- pod can go out and can update software or something ...
- download and update
- outgoing egress mostly allowd
- ingress - by default deny

now, apply

# kc apply -f mynp.yaml

got error
what pod you want to allow



# cat mynp.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myfirewall

spec:
  policyType:
    - ingress
    ingress:
    - {}    # allow all


# cat mynp.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myfirewall

spec:
  policyType:
    - ingress
    ingress:
    - {}    # allow all
    podSelector:
# kc apply -f mynp.yaml

again got error
pod selector is missing

# kc describe networkpolicy myfirewall

allow all the pods
from any ip
any pod in any namespace (default)

now, refresh the page, you will see the output.

<CLusterID>:32514

this is allow all rule which is bad

allow particular port

Lets create a new deployment
# kc create deploy myd1 --image=httpd
# kc expose deploy myd1 --port=80 --type=NodePort

# kc get svc
get clusterIp and port

go to browser and test or use cmd
>  curl http://1ip:port
connected

now, we like to restrict

how do you know what port to restrict
# kc get pod
# kc get pod --show-labels

allow this particular pod
check from label

equility based
match


# cat mynp.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myfirewall

spec:
  policyType:
    - ingress
    ingress:
    - {}    # allow all port/protoclol
    podSelector:
      matchLabels:
        app: myd    # only allow myd pod

# kc apply -f mynp.yaml

# kc get pods
# vi



# cat mynp.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myfirewall

spec:
  podSelector:
    matchLabels:
      app: myd
  policyType:
    - ingress
    ingress:
    - ports:
      - protocal: TCP
        port: 80


# kc apply -f mynp.yaml
# kc describe

> curl ip:port

deny

google for Network polucy in kubernetes

you see a yaml @k8s.io

you see ingress, egress rule

they set up rule for ip
cidr : ip/16 block all ip
except:
- ip/24



# cat mynp.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myfirewall

spec:
  podSelector:
    matchLabels:
      app: myd
  policyType:
    - ingress
    ingress:
    - from:
      - ipBlock:
         cidr: 172.17.0.0/16
     except:
      - 172.17.1.0/16
    - ports:
      - protocal: TCP
        port: 80
     

# kc apply -f mynp.yaml
# kc describe networkpolicy myfirewal