This is a brief instruction on how to deploy pm-mapper in docker env and how to configure filters in pm-mapper
Prerequisite
- Docker
- make
- bash
- linux(ubuntu 18+)
Installation
copy pm-mapper repo from onap gerrit
git clone "https://gerrit.onap.org/r/dcaegen2/services/pm-mapper"
go to sub-directory:
cd tools/development
install dmapp-dr, cbs, consul, files-publisher and dmaap-mr:
make setup-local
install pm-mapper:
make run-pm-mapper
After successful installation, we should see the docker containers:
Config dmaap
config dmaap-dr to create a feed for pm-mapper to subscribe:
make config-dmaap
Subscribe to dmaap-dr feed
config dmaap to create a feed for pm-mapper to subscribe:
make subscribe-pm-mapper
List files in container files-publisher
files-publisher is a micro-servive designed for test/demo purpose, it has some prepared files to publish to dmaap-dr:
make list-files
In real onap instance, files-publisher is replaced by Data-File-Collector.
Publish file to dmapp-dr
in the same sub-directory, there are two scripts to do this:
send-meas-collec.sh & send-meas-data.sh
we can pick one files from above list, eg:
./send-meas-collec.sh A20181002.0000-1000-0015-1000_5G.xml.gz
Configure filters
Clean env
clean env
make clean-env
Now we have network plugin enabled in k8s cluster, we can then apply network policy to NONRTRIC.
Deploy NONRTRIC
kubectl apply -f https://raw.githubusercontent.com/yanhuanwang/k8s/master/statefulset/nosdnc.yml
after deployment, you should be able to see nonrtric services/pods are up and running:
pay attention to the labels above, in this demo we will use labels to define the network-policy rules.
Apply network-policy
$ cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: nonrtric spec: podSelector: matchLabels: app: a1-sim policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: policy-agent-container - from: - podSelector: matchLabels: app: a1-sim EOF
The example policy above applies a rule on endpoint with lable "a1-sim", it only allows traffic coming from pod with labels "policy-agent-container" and "a1-sim".
Feel free to change the labels and apply it.
After successfully applying above policy, we login to pod "policy-agent-container-xxxxxx", command:
kubectl -n nonrtric exec -it policy-agent-container-78d6b988c9-jnw42 -- sh curl a1-interface-osc-0.a1-sim
We should be able to see:
If we update labels in the above policy, for exemple:
$ cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: nonrtric spec: podSelector: matchLabels: app: a1-sim policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: policy-xxxx-container - from: - podSelector: matchLabels: app: a1-sim EOF
After applying this changed policy, we cannot access "a1-sim" endpoints from "policy-agent-container" anymore because the labels do not match.
curl/ping command can no longer reach "a1-sim".