Network policies in Kubernetes using Calico
1 like640 views
This document discusses network policies in Kubernetes using Calico. It provides an overview of what network policies are, who provides them with a focus on Calico, and how to install Calico on a Kubernetes cluster. Key points include: 1) Network policies specify permissible traffic to, from, and between pods using labels and default to blocking all traffic if no policies exist. 2) Calico is an open source solution that enables networking for workloads across clouds, containers, VMs and bare metal at the L3 network layer. 3) Installation of Calico on Kubernetes involves applying a YAML file to install Calico nodes, policies, and controllers in the kube-system namespace.
Network policies in Kubernetes using Calico
- 1. Network policies in Kubernetes using Calico Suraj Narwade
- 2. $ whoami ● Works at Red Hat ● Contributes to Kompose, Kedge, Libcompose ● Plays with Kubernetes, OpenShift & Alexa ● Tweets at @red_suraj ● Code at @surajnarwade ● Write at http://suraj.pro ● One of the Event Host here :)
- 3. Disclaimer /me is still newbie with Networking stuff :D /me is not op guy but golang dev
- 10. Network Policy comes to Rescue
- 11. What is Network Policy ? A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. (By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace.)
- 12. Network Policies ● These policies are firewall rules that specify permissible types of traffic to, from and between pods. If requested, Kubernetes blocks all traffic that is not explicitly allowed. ● Policies are applied to groups of pods identified by common labels.
- 13. Who Provides Network Policies ? ● Calico ● Cilium ● Kube-router ● Romana ● Weave Net
- 14. Someone will ask, why not flannel ? https://github.com/projectcalico/canal https://thenewstack.io/project-calico-flannel-join-forces-policy-secured-networking/
- 15. Quick introduction to calico ● OpenSource ● Enables Networking of Workloads in Cloud Environment ● User need not to be networking expert ● Scale Thousand of workloads ● L3 level ● Containers, VMs, bare metal
- 17. It will install... ● A ConfigMap which contains the Calico configuration. ● A DaemonSet which installs the calico/node pod and CNI plugin. ● A ReplicaSet which installs the calico/kube-policy-controller pod. In kube-system namespace
- 18. Default deny apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: {} policyTypes: - Ingress
- 19. kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx spec: podSelector: matchLabels: app: nginx ingress: - from: - podSelector: matchLabels: app: foo
- 20. You can use ● PodSelector ● NameSpaceSelector ● IP ranges with CIDR
- 24. Thank You !!!