What is Network Policies ?

If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes Network Policies for particular applications in your cluster.

NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” (we use the word “entity” here to avoid overloading the more common terms such as “endpoints” and “services”, which have specific Kubernetes connotations) over the network.

Why WEAVE NET ?

The Weave Net addon for Kubernetes comes with a Network Policy Controller that automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces and configures iptables rules to allow or block traffic as directed by the policies.

Now let’s go and just follow step below to achieve the plan:

Step 1) Set a Master Node with two workers nodes

• I consider you all people already know how to launch ec2 instances in AWS otherwise i will direct you to ⇒ How to launch ec2_instances_in_AWS
• While launching ec2 instances use my default AMI which contains pre-default setup of Docker, Kubelet, Kubeadm & some configuration required before administrate the nodes as a Master or worker Node; Or you can refer to one of my precedent write-up on it ⇒ Setup_Multi_nodes_in_Kubernetes && Official Documentation

AWS screenshot launching AMI

• After launch now you can see my instances have started:

instances ready

• For ease access at the command line i will login to the ec2 instances from my local machine with ssh 😁

Step 2) Initialize the Master node as follow :

• sudo kubeadm init phase certs all
• sudo kubeadm init phase kubeconfig all
• sudo kubeadm init phase control-plane all — pod-network-cidr 10.244.0.0/16
• sudo kubeadm init — skip-phases=certs,kubeconfig,control-plane — ignore-preflight-errors=all — pod-network-cidr 10.244.0.0/16
• And at the end of the last command above you will see the following output:

The docs for init of a Node are :

https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/ and https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/

• From the previous output our kubernetes control-plane has been initialized successfully so now we will start using the cluster :

mkdir -p $HOME/.kube

sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

sudo chown $(id -u):$(id -g) $HOME/.kube/config

And running : “ kubectl get nodes “ you will see our Master node is set up .

Step 3) Set up the Worker node1 and node2 to join the Master Node :

• First login to it with ssh and join the Master as :

• Same thing with the Worker Node2 as :

• Running at the Master Node “kubectl get nodes” to see the both nodes joined :

Step 4) Setup Weave plugin in the master Node:

• To setup Network Policy in k8s , i will use an overlay Network so i have to install a network plugin called “weave” at the Master Node to successfully perform Network policy.

Ressource for depth learning && k8s Addons setup.

• Why Weave plugin ? bcz it has the best capability in the market to allow us to perform Network security policy in Kubernetes.
• So let’s go and install the weave Plugin in our Master node using :

kubectl apply -f “https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d ‘\n’)”

As Result running “kubeclt get nodes” you will see that a Networking as been set and making our nodes running now.

Also know that in k8s, everything works on pods even node configuration services reside in pods that is why running “kubectl get pods -n kube-system” you will see that the weave installed launched three pods containing its services.

Step 5) Launching three pods in Master Node to demonstrate Security Policy:

• “kubectl create deployment myd — image=tcdocker2021/ubuntu-nginx-server:v2 — replicas=3 ” => launch a deploy containing 3 copies of pod running my ubuntu-nginx-server.
• After you have to expose your deployment to allow inbound connection to your deployment like =: “kubectl expose deploy myd — port=80 — type=NodePort”
• “kubectl get svc” => to verify effectively your deploy have been exposed

Below demo:

• Typing in your browser the public ip of your Master Node and the port open from your exposed deploy will confirm the achieved work:

web page of server inside the pod

Note: You can find the image of my ubuntu-nginx server from docker hub at link_to_my_docker_image.

Step 6) Implement Network Policy:

• “kubectl get networkpolicy “ => shows that we don’t yet have a network Policy, so let’s do that..

• So for creating network policy we have to create resource for that meaning creating a yaml config file:

1. Apply NetworkPolicy to allow all incoming traffic to all pods:

Result: refresh your web browser, and you will see that accessing the web page of our deploy is allowed.

2. Now deny all incoming traffic to all pods means denying access to the deployment:

“kubect get networkpolicy” => check network policy has been created

Result: Refreshing your web page you seen after networkPolicy setup you won’t access it:

3. Now apply net/w policy for a particular pod in a deployment:

The code running in the networkPolicy file:

Result: refresh your web page it is now accessing

CONCLUSION

We arrive then at the end of our small demo of how security policy or firewall is implemented in kubernetes cluster. So applying Security policy in our apps, web page, network is a more demand in the production world today and that is a simple strategy of how we can launch many pods, containers, clusters and restrict access to certain resources to our apps or deployment.

See Official documentation for more in depth learning and also

See the Declare Network Policy walkthrough for further examples.

THANKS YOUUUUU..