This lab covers the Kubernetes feature of Network Policy. The lab utilizes the `kops` installer to create a cluster using the Calico network overlay. The student is guided through the process of first creating a network policy that prohibits pod access, followed by another policy that grants pod access to certain clients and a named server.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Create the Kubernetes Cluster
The <code>k8s-create.sh</code> script should be in the cloud_user’s home directory. You may list the directory contents with:
$ ls -lTo run the script, enter the following command:
Note: Be sure to have a space between the . and the ./ in front of the script. This ensures that environment variables set in the script are then available to the parent shell.
$ . ./k8s-create.shOnce the cluster configuration has been created, you can apply the configuration with this command:
$ kops update cluster -yNote: To view the cluster servers as they are being created, you may use the aws console and credentials provided.
You may validate the cluster with the command:
$ kops validate clusterIt will give errors until the cluster is fully configured.
When complete, it should report that the cluster is ready.
Verify the cluster is running with:
$ kubectl get nodes- Configure the Required Namespace
To configure a namespace for our lab, you may create a namespace called ‘policy-demo’ by entering:
$ kubectl create ns policy-demoThe command should respond with an affirmation that the namespace was created.
- Create the Demo Pods
Run two replicas of the nginx service:
$ kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginxExpose the service on port 80:
$ kubectl expose --namespace=policy-demo deployment nginx --port=80Run an interactive session in a pod called access using the busybox image:
$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/shOnce inside the image, type this command to verify access to the nginx server:
/ # wget -q nginx -O -This should respond with the raw html from nginx.
To exit the interactive container session:
/ # exit- Enable Isolation
To download the yaml file:
$ wget https://raw.github.com/linuxacademy/content-kubernetes-security-ac/master/default-deny.yamlTo view the yaml file:
$ more default-deny.yamlTo create the policy:
$ kubectl create -f default-deny.yaml- Test Isolation
To view that the nginx pods are running:
$ kubectl --namespace=policy-demo get podsTo run an interactive container to test access:
$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/shWithin the access container, enter:
/ # wget -q --timeout=5 nginx -O -Note: You should receive a timeout in 5 seconds.
To exit the container shell:
/ # exit- Allow Restricted Access Using a Network Policy
To download the yaml file:
$ wget https://raw.github.com/linuxacademy/content-kubernetes-security-ac/master/access-nginx.yamlTo look at the file:
$ more access-nginx.yamlTo create the policy:
$ kubectl create -f access-nginx.yaml- Verify Access to nginx from the access Pod
Run an interactive pod called access with an interactive shell:
$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/shOnce inside the container session, test nginx access:
/ # wget -q --timeout=5 nginx -O -Note: Since we are in a pod named ‘access’ we should be able to access the nginx service.
To exit the container shell:
/ # exit- Verify That Access to nginx Is Not Allowed from Another Pod
Run a container shell in a pod called ‘not-access’:
$ kubectl run --namespace=policy-demo not-access --rm -ti --image busybox /bin/shWithin the container attempt to access nginx:
/ # wget -q --timeout=5 nginx -O -Note: This command should timeout after 5 seconds.
To exit the container shell:
/ # exit- Delete the Namespace to Clean Up
To delete the namespace and thus terminate the running pods and nullify the network policies created, enter:
$ kubectl delete ns policy-demo
