0 0 Share PDF

Kubernetes network policy example with Calico

Article ID: KB000950

Introduction

In this article you will find a brief example on how to use Kubernetes network policies with Calico, the default Kubernetes network plugin in Docker EE.

For the purposes of this article, ingress and egress are defined as follows:

  • Ingress traffic is the inbound network traffic to pods in the cluster.
  • Egress traffic is the outbound network traffic originating from pods in the cluster.

Prerequisites

Example

To block all pods to access an IP address

  1. On the manager node where you have configured calicoctl (per the prerequisites above), create a default egress policy to permit all egress traffic in the file egress-allow-all.yaml with the following contents:

    apiVersion: projectcalico.org/v3
    kind: GlobalNetworkPolicy
    metadata:
      name: default-allow-everything
    spec:
      order: 5000
      egress:
      - action: Allow
    

    Apply this policy using calicoctl:

    calicoctl create -f - < egress-allow-all.yaml
    
  2. On the manager node create an egress policy to deny traffic to an IP address (8.8.8.8 in this example), in the file egress-deny-8-8-8-8.yaml:

    apiVersion: projectcalico.org/v3
    kind: GlobalNetworkPolicy
    metadata:
      name: default-deny-egress
    spec:
      order: 1000
      types:
      - Egress
      egress:
      - action: Deny
        destination:
          nets:
          - 8.8.8.8/32
        source: {}
    

    Apply this policy using calicoctl:

    calicoctl create -f - < egress-deny-8-8-8-8.yaml
    
  3. Verify that pods within the cluster are unable to reach the IP 8.8.8.8. You can do this with a UCP Client Bundle sourced, by running a pod with an interactive shell and testing the results of a ping to 8.8.4.4 vs 8.8.8.8, as below:

    $ kubectl run --rm -i --tty busybox --image=busybox -- sh
    /# ping 8.8.4.4
    PING 8.8.4.4 (8.8.4.4): 56 data bytes
    64 bytes from 8.8.4.4: seq=0 ttl=113 time=0.907 ms
    64 bytes from 8.8.4.4: seq=1 ttl=113 time=0.862 ms
    ^C
    --- 8.8.4.4 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 1.022/1.022/1.022/0.000 ms
    /# ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    ^C
    --- 8.8.8.8 ping statistics ---
    1 packets transmitted, 0 received, 100% packet loss, time 0ms
    /# exit
    
  4. Delete these test policies: sudo calicoctl delete globalnetworkpolicy default-allow-everything sudo calicoctl delete globalnetworkpolicy default-deny-egress

Calicoctl commands

Viewing policies

You can view calico network policies previously created in your cluster with the following command, specifying the policy type and name:

calicoctl get policytype policyname

For example:

calicoctl get globalnetworkpolicy

calicoctl get globalnetworkpolicy default-allow-everything

Creating policies

To create a policy, create the policy definition in a yaml file and apply this with the following command:

calicoctl create -f - < yamlfile

Deleting policies

If you have the yaml definition file for a policy, you can delete the policy with the following command:

calicoctl delete -f - < yamlfile

In the absence of the yaml definition, you can delete a policy by reference to the type of policy and its name:

calicoctl delete policytype policyname

More information

A tutorial on the use of calico network policy can be found on the Calico website.

Network policies with kubectl

Network policies can also be configured in a Docker EE cluster using kubectl, with a UCP Client Bundle sourced.

The yaml syntax is different, and these policies use an order number higher than 1000, such that calico network policies take precedence over network policies created via kubectl.

More information on managing network policies via kubectl is available within the Kubernetes documentation.

References