Calico and simple policy
Download as PPT, PDF0 likes662 views
Project Calico is an open source networking and security solution that implements network policy for Kubernetes clusters. It uses layer 3 networking and supports defining network policies with fine-grained control over which connections are allowed between pods. This document discusses using Calico's implementation of the Kubernetes NetworkPolicy API to demonstrate a simple network policy that allows access to nginx pods in a namespace only from a designated access pod, while otherwise isolating pods in that namespace by default.
Calico and simple policy
- 2. “Project Calico is the world's simplest, most scalable, open networking solution for OpenStack”. Calico, a pure layer3 approach to Virtual Networking for highly scalable & flexible Data centers. It is a open-source technology, that implements large, standards-based cloud data center infrastructures Calico supports rich and flexible network policy that enforces on every node in a cluster, to provide tenant isolation, security groups, and external reachability constraints.
- 5. We will discuss on the overview of Simple Policy Demo. Lastime, we discussed Star Policy here: https://www.slideshare.net/anir37/calico-and-stars-policy
- 7. It includes demo try out Kubernetes NetworkPolicy with Calico, as well as a client service for all running on Kubernetes. It requires a Kubernetes cluster configured with Calico networking, and expects that you have kubectl configured to interact with the cluster.
- 8. We need to install Kubernetes in the system which includes Network Policy API. We need to get the following thing: Calico and then need to get into star-policy directory of Calico
- 9. 1) We need to create some nginx pods in the policy-demo Namespace, and expose them through a Service.: 2) Also we need to ensure the nginx service is accessible:
- 10. Enable isolation: Now this is the important part…. let’s turn on isolation in our policy-demo Namespace which will then prevent connections to pods in this Namespace. We will now run the command that creates a NetworkPolicy which implements a default deny behavior for all pods in the policy-demo Namespace.
- 11. Allow Access using a NetworkPolicy : Now, let’s enable access to the nginx Service using a NetworkPolicy. This will allow incoming connections from our access Pod, but not from anywhere else. We need to now create a network policy access-nginx with the following contents:
- 12. That’s it! We should now be able to access the Service from the access Pod.
- 13. We can remove the policy using following: As you can see, this is just a simple example of the Kubernetes NetworkPolicy API and how Calico can secure your Kubernetes cluster.
- 14. In next slides, we will discuss the overview on other policy demo. Lets share our knowledge and effort on community so that the Calico community grows.
- 15. For more information visit https://www.projectcalico.org/ https://docs.projectcalico.org/v2.6/introduction/ https://blog.tigera.io/tagged/calico