From 8c33716c461abd63362d2c10bf7c04f86f1ca97c Mon Sep 17 00:00:00 2001 From: Thomas Geiger Date: Wed, 3 Jul 2024 18:11:02 +0200 Subject: [PATCH] change dir for manifest and adopt demo md --- DEMO.md | 110 ++++++++++++++---- .../{app-namespace.yml => app-namespace.yaml} | 0 ...deployment.yml => backend-deployment.yaml} | 1 + ...ckend-service.yml => backend-service.yaml} | 1 + ...demo-namespace.yml => demo-namespace.yaml} | 0 deployment/{demo-pod.yml => demo-pod.yaml} | 0 ...eployment.yml => frontend-deployment.yaml} | 1 + ...tend-service.yml => frontend-service.yaml} | 1 + ...ikube.yml => metallb-config-minikube.yaml} | 0 ...network-policy.yml => network-policy.yaml} | 1 + 10 files changed, 91 insertions(+), 24 deletions(-) rename deployment/{app-namespace.yml => app-namespace.yaml} (100%) rename deployment/{backend-deployment.yml => backend-deployment.yaml} (93%) rename deployment/{backend-service.yml => backend-service.yaml} (87%) rename deployment/{demo-namespace.yml => demo-namespace.yaml} (100%) rename deployment/{demo-pod.yml => demo-pod.yaml} (100%) rename deployment/{frontend-deployment.yml => frontend-deployment.yaml} (92%) rename deployment/{frontend-service.yml => frontend-service.yaml} (87%) rename deployment/{metallb-config-minikube.yml => metallb-config-minikube.yaml} (100%) rename deployment/{network-policy.yml => network-policy.yaml} (95%) diff --git a/DEMO.md b/DEMO.md index 503256f..4eb490f 100644 --- a/DEMO.md +++ b/DEMO.md @@ -217,39 +217,54 @@ cd your-repo kubectl apply -f deployment/frontend-deployment.yaml kubectl apply -f deployment/frontend-service.yaml ``` +## Demo Kubernetes Services -#### Network Policy +### Demo Service Plugin (kube-proxy) -1. **Create `network-policy.yaml`**: +1. **Get the Cluster IP and End Point Adresses**: - ```yaml - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-frontend-to-backend - spec: - podSelector: - matchLabels: - app: backend - policyTypes: - - Ingress - ingress: - - from: - podSelector: - matchLabels: - app: frontend - ports: - - protocol: TCP - port: 80 + ```bash + # Get Kubernetes Service + docker@minikube:~$ kubectl get svc + + # Get the endpoints + docker@minikube:~$ kubectl get ep ``` +2. **Get the prerouting Rule for KUBE-SERVICE**: -2. **Apply Network Policy**: + ```bash + docker@minikube:~$ sudo iptables -t nat -L KUBE-SERVICES + Chain KUBE-SERVICES (2 references) + target prot opt source destination + KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- anywhere 10.96.0.1 /* default/kubernetes:https cluster IP */ tcp dpt:https + KUBE-SVC-TCOU7JCQXEZGVUNU udp -- anywhere 10.96.0.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain + KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- anywhere 10.96.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain + KUBE-SVC-JD5MR3NA4I4DYORP tcp -- anywhere 10.96.0.10 /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153 + KUBE-SVC-6YNYFUIKGNIA7RFX tcp -- anywhere 10.108.198.28 /* demo-cni-app/flask-api-service cluster IP */ tcp dpt:http + KUBE-NODEPORTS all -- anywhere anywhere /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL + ``` + +3. **Get the NAT Rule for ClusterIP**: ```bash - kubectl apply -f deployment/network-policy.yaml + docker@minikube:~$ sudo iptables -t nat -L KUBE-SVC-6YNYFUIKGNIA7RFX + Chain KUBE-SVC-6YNYFUIKGNIA7RFX (1 references) + target prot opt source destination + KUBE-MARK-MASQ tcp -- !10.244.0.0/16 10.108.198.28 /* demo-cni-app/flask-api-service cluster IP */ tcp dpt:http + KUBE-SEP-J7YQFRES3OILODCJ all -- anywhere anywhere /* demo-cni-app/flask-api-service -> 10.244.0.3:80 */ + ``` +4. **Get the Rule for the Service End Point**: + + ```bash + docker@minikube:~$ sudo iptables -t nat -L KUBE-SEP-J7YQFRES3OILODCJ + Chain KUBE-SEP-J7YQFRES3OILODCJ (1 references) + target prot opt source destination + KUBE-MARK-MASQ all -- 10.244.0.3 anywhere /* demo-cni-app/flask-api-service */ + DNAT tcp -- anywhere anywhere /* demo-cni-app/flask-api-service */ tcp to:10.244.0.3:80 ``` -#### Demo Pod for Verification +### Demo Network Policy (CNI) +In this Demo we will work with Network Policy and how Network Policy effects traffic between Pods 1. **Create `demo-pod.yaml`**: @@ -277,6 +292,53 @@ cd your-repo kubectl apply -f deployment/demo-pod.yaml ``` +3. **Test from demo pod without policy**: + + Execute a shell inside the demo pod to test connectivity to the backend service: + + ```bash + kubectl exec -it demo-pod -n demo-namespace -- sh + ``` + + Inside the shell, try to connect to the backend service: + + ```sh + wget -qO- http://flask-api-service.default.svc.cluster.local/api + ``` + + You should see that the connection is succesfull + +3. **Create `network-policy.yaml`**: + + ```yaml + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-frontend-to-backend + spec: + podSelector: + matchLabels: + app: backend + policyTypes: + - Ingress + ingress: + - from: + podSelector: + matchLabels: + app: frontend + ports: + - protocol: TCP + port: 80 + ``` + +2. **Apply Network Policy**: + + ```bash + kubectl apply -f deployment/network-policy.yaml + ``` + + + ## Verify Network Policy 1. **Test from Demo Pod**: diff --git a/deployment/app-namespace.yml b/deployment/app-namespace.yaml similarity index 100% rename from deployment/app-namespace.yml rename to deployment/app-namespace.yaml diff --git a/deployment/backend-deployment.yml b/deployment/backend-deployment.yaml similarity index 93% rename from deployment/backend-deployment.yml rename to deployment/backend-deployment.yaml index a424910..10e20e6 100644 --- a/deployment/backend-deployment.yml +++ b/deployment/backend-deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: flask-api + namespace: demo-cni-app spec: replicas: 1 selector: diff --git a/deployment/backend-service.yml b/deployment/backend-service.yaml similarity index 87% rename from deployment/backend-service.yml rename to deployment/backend-service.yaml index e6c30a3..c95b399 100644 --- a/deployment/backend-service.yml +++ b/deployment/backend-service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: flask-api-service + namespace: demo-cni-app spec: selector: app: flask-api diff --git a/deployment/demo-namespace.yml b/deployment/demo-namespace.yaml similarity index 100% rename from deployment/demo-namespace.yml rename to deployment/demo-namespace.yaml diff --git a/deployment/demo-pod.yml b/deployment/demo-pod.yaml similarity index 100% rename from deployment/demo-pod.yml rename to deployment/demo-pod.yaml diff --git a/deployment/frontend-deployment.yml b/deployment/frontend-deployment.yaml similarity index 92% rename from deployment/frontend-deployment.yml rename to deployment/frontend-deployment.yaml index 5297a54..5516e23 100644 --- a/deployment/frontend-deployment.yml +++ b/deployment/frontend-deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: frontend + namespace: demo-cni-app spec: replicas: 1 selector: diff --git a/deployment/frontend-service.yml b/deployment/frontend-service.yaml similarity index 87% rename from deployment/frontend-service.yml rename to deployment/frontend-service.yaml index cd15d81..9852cbb 100644 --- a/deployment/frontend-service.yml +++ b/deployment/frontend-service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: frontend-service + namespace: demo-cni-app spec: selector: app: frontend diff --git a/deployment/metallb-config-minikube.yml b/deployment/metallb-config-minikube.yaml similarity index 100% rename from deployment/metallb-config-minikube.yml rename to deployment/metallb-config-minikube.yaml diff --git a/deployment/network-policy.yml b/deployment/network-policy.yaml similarity index 95% rename from deployment/network-policy.yml rename to deployment/network-policy.yaml index 764f8ea..1af6fbd 100644 --- a/deployment/network-policy.yml +++ b/deployment/network-policy.yaml @@ -2,6 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-to-backend + namespace: demo-cni-app spec: podSelector: matchLabels: