2017-04-10 17:26:28 +00:00
---
2017-08-03 23:22:52 +00:00
approvers:
2017-04-10 17:26:28 +00:00
- bboreham
2017-06-08 22:13:29 +00:00
title: Weave Net for NetworkPolicy
2017-04-10 17:26:28 +00:00
---
2017-05-14 21:58:15 +00:00
{% capture overview %}
2017-04-10 17:26:28 +00:00
2017-05-14 21:58:15 +00:00
This page shows how to use Weave Net for NetworkPolicy.
{% endcapture %}
{% capture prerequisites %}
2017-09-25 20:43:15 +00:00
Complete steps 1, 2, and 3 of the [kubeadm getting started guide ](/docs/getting-started-guides/kubeadm/ ).
2017-05-14 21:58:15 +00:00
{% endcapture %}
{% capture steps %}
2017-07-28 15:23:11 +00:00
## Installing Weave Net addon
2017-05-14 21:58:15 +00:00
2017-05-15 23:52:16 +00:00
Follow the [Integrating Kubernetes via the Addon ](https://www.weave.works/docs/net/latest/kube-addon/ ) guide.
2017-05-14 21:58:15 +00:00
The Weave Net Addon for Kubernetes comes with a [Network Policy Controller ](https://www.weave.works/docs/net/latest/kube-addon/#npc ) that automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces and configures `iptables` rules to allow or block traffic as directed by the policies.
{% endcapture %}
2017-08-09 05:49:09 +00:00
{% capture example %}
## Namespace isolation example
1. Create a namespace with `DefaultDeny` .
```yaml
kind: Namespace
apiVersion: v1
metadata:
name: myns
annotations:
net.beta.kubernetes.io/network-policy: |
{
"ingress": {
"isolation": "DefaultDeny"
}
}
```
2. Create 2 pods inside this namespace.
```yaml
kind: Pod
apiVersion: v1
metadata:
name: pod1
namespace: myns
labels:
inns: "yes"
spec:
containers:
- name: pod1
image: nginx
---
kind: Pod
apiVersion: v1
metadata:
name: pod2
namespace: myns
labels:
inns: "yes"
spec:
containers:
- name: pod2
image: nginx
```
3. Get the IP addresses of the pods.
```shell
kubectl get po -n myns -o wide
```
**Note:** If your cURL requests to pods are forbidden, try making cURL requests to other pods from within a pod.
{: .note}
4. Create a Kubernetes NetworkPolicy that allows pods within the same namespace to connect with each other.
```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: aaa
namespace: myns
spec:
podSelector:
matchExpressions:
- {key: inns, operator: In, values: ["yes"]}
ingress:
- from:
- podSelector:
matchExpressions:
- {key: inns, operator: In, values: ["yes"]}
```
**Caution:** After applying the network policy, pods outside the namespace you specify may be unable to connect with pods inside the namespace.
{. :caution}
{% endcapture %}
2017-05-14 21:58:15 +00:00
{% capture whatsnext %}
2017-04-10 17:26:28 +00:00
2017-09-25 20:43:15 +00:00
Once you have installed the Weave Net addon, you can follow the [NetworkPolicy getting started guide ](/docs/getting-started-guides/network-policy/walkthrough ) to try out Kubernetes NetworkPolicy.
2017-05-14 21:58:15 +00:00
{% endcapture %}
{% include templates/task.md %}
