Configuring network policies
In some cases you want to explicitly allow access to your application. This can be done by creating network policies. APL supports 2 types of network policies:
-
Policies for ingress traffic inside the cluster.
-
Policies for egress traffic to go outside of the cluster (to access external FQDNs).
Understanding Internal Ingress Network Policies
The internal ingress network policies allow you to:
-
Deny all traffic to Pods (default mode)
-
Allow selected Workload Pods running on the cluster to access your Workload's Pods
-
Allow all traffic to the Pods of a Workload
Deny all
and Allow all
we don't need to explain right?
The Ingress Network Policies in APL rely on Pod labels. We require that a single label covers Pods for a given workload. We recommend to use the otomi.io/app: <workload-name>
label.
To allow other Workloads in the cluster to access your Workload's Pods, follow these steps:
-
Navigate to the
Network Policies
page in the APL Console and clickCreate Netpol
. -
Name the network policy and select the
ingress
rule type. -
Add the selector label name and value for the Workload Pods to be accessed. E.g.: use the
otomi.io/app
label. -
Select either
AllowAll
orAllowOnly
mode. -
If you select
AllowOnly
, specify the namespace (e.g.,team-labs
), and the selector label name and value for the Workload Pods to be accessed. -
Add more rules if needed.
Understanding Egress Network Policies
The egress network policies allow you to:
-
Deny all traffic from the Pods of a Workload (default)
-
Allow all Pods within a namespace to access external FQDNs or IPs through an egress rule
To allow your Workload's Pods to access external FQDNs or IPs, follow these steps:
-
Navigate to the
Network Policies
page in the APL Console and clickCreate Netpol
. -
Name the network policy and select the
egress
rule type. -
Add the FQDN or IP to be accessed.
-
Add port number(s) and protocol if needed.
The egress rules are namespace wide. You cannot bind an egress policy to one Workload only.
Setting Up Network Policies for the Example Voting App: An Ingress Example
Build Images for the Application
Build the Vote
, Worker
and Result
images from this repo. Use the Build feature in APL to build the images with mode: Docker
. Set the path
to ./vote/Dockerfile
for the Vote image (and ./worker/Dockerfile
for the Worker and ./result/Dockerfile
for Result).
Create a Redis Cluster and a PostgreSQL Database
Use the postgresql
and the redis
charts from the Catalog to create a Redis master-replica cluster and a PostgreSQL database. For this lab, Redis authentication needs to be turned off by setting auth.enabled=false
.
Deploy the Vote App
Use the k8s-deployment
chart to deploy the vote app. Use the following values:
Name: vote
containerPorts:
- name: http
containerPort: 80
protocol: TCP
env:
- name: REDIS_HOST
value: <redis-cluster-name>-master
Deploy the Worker App
Use the k8s-deployment
chart to deploy the worker app. Use the following values:
Name: worker
containerPorts:
- name: http
containerPort: 80
protocol: TCP
env:
- name: DATABASE_USER
valueFrom:
secretKeyRef:
name: <psql-cluster-name>-app
key: username
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: <psql-cluster-name>-app
key: password
- name: REDIS_HOST
value: <redis-cluster-name>-master
- name: DATABASE_HOST
value: <psql-cluster-name>-rw
Deploy the Result App
Use the k8s-deployment
chart to deploy the result app. Use the following values:
Name: result
containerPorts:
- name: http
containerPort: 80
protocol: TCP
env:
- name: DATABASE_USER
valueFrom:
secretKeyRef:
name: <psql-cluster-name>-app
key: username
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: <psql-cluster-name>-app
key: password
- name: DATABASE_HOST
value: <psql-cluster-name>-rw
Register Services for Exposure
Vote
- Register the
vote
service. - Set exposure to
External
.
Result
- Register the
<result>
service. - Set exposure to
External
.
Create the Network Policies for the Example Voting App
Postgres Database
-
Create a new
Netpol
and select theingress
rule type. -
Add the selector label name
otomi.io/app
. -
Add the selector label value
<postgres-workload-name>
. -
Select
AllowOnly
. -
Add the namespace
<team-name>
, the selector label nameotomi.io/app
and the selector label value<worker>
. -
Add the namespace
<team-name>
, the selector label nameotomi.io/app
and the selector label value<result>
.
Redis
-
Create a new
Netpol
and select theingress
rule type. -
Add the selector label name
otomi.io/app
. -
Add the selector label value
<redis-workload-name>
. -
Select
AllowOnly
. -
Add the namespace
<team-name>
, the selector label nameotomi.io/app
and the selector label value<worker>
. -
Add the namespace
<team-name>
, the selector label nameotomi.io/app
and the selector label value<vote>
.
Test the Voting App
-
Go to the external URL of the
vote
application. -
Click on
Cats
orDogs
. -
Now go to the external URL of the
result
application. -
You should see the result of your vote.
Setting Up Network Policies for apl-docs.net: An Egress Example
Register the Network Policy for apl-docs.net
-
Navigate to the
Network Policies
page in the APL Console and clickCreate Netpol
. -
Name the network policy
apl-docs
and select theegress
rule type. -
Add the FQDN
apl-docs.net
to be accessed. -
Add port number
443
and protocolHTTPS
.
Deploy Netshoot Pod
Deploy a Netshoot pod in your namespace within your Kubernetes cluster. You can do this using kubectl command:
kubectl run -i --tty --rm netshoot --image nicolaka/netshoot -n team-labs
The Netshoot pod is a network troubleshooting tool that includes a lot of network tools like curl
, dig
, nslookup
, ping
, traceroute
, etc.
Test the Egress Network Policy
- Run the following command in the Netshoot pod:
curl https://apl-docs.net
You should see the HTML of the apl-docs.net website
- Run the following command to see the
<h1>Build, Deploy and Run applications at scale</h1>
message:
curl https://apl-docs.net | grep -o '<h1>.*</h1>'
- Type
exit
to exit the Netshoot pod.
When you exit the Netshoot pod, it will be removed from the cluster.