...
Code Block | ||||
---|---|---|---|---|
| ||||
make clean-env |
Now we have network plugin enabled in k8s cluster, we can then apply network policy to NONRTRIC.
Deploy NONRTRIC
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f https://raw.githubusercontent.com/yanhuanwang/k8s/master/statefulset/nosdnc.yml |
after deployment, you should be able to see nonrtric services/pods are up and running:
pay attention to the labels above, in this demo we will use labels to define the network-policy rules.
Apply network-policy
Code Block | ||
---|---|---|
| ||
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: nonrtric
spec:
podSelector:
matchLabels:
app: a1-sim
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: policy-agent-container
- from:
- podSelector:
matchLabels:
app: a1-sim
EOF |
The example policy above applies a rule on endpoint with lable "a1-sim", it only allows traffic coming from pod with labels "policy-agent-container" and "a1-sim".
Feel free to change the labels and apply it.
After successfully applying above policy, we login to pod "policy-agent-container-xxxxxx", command:
Code Block | ||
---|---|---|
| ||
kubectl -n nonrtric exec -it policy-agent-container-78d6b988c9-jnw42 -- sh
curl a1-interface-osc-0.a1-sim |
We should be able to see:
If we update labels in the above policy, for exemple:
Code Block | ||
---|---|---|
| ||
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: nonrtric
spec:
podSelector:
matchLabels:
app: a1-sim
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: policy-xxxx-container
- from:
- podSelector:
matchLabels:
app: a1-sim
EOF |
After applying this changed policy, we cannot access "a1-sim" endpoints from "policy-agent-container" anymore because the labels do not match.
curl/ping command can no longer reach "a1-sim".