kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Move Guide topics: NetworkPolicy. (#3298)

pull/3300/head
Steve Perry 2017-04-10 10:26:28 -07:00 committed by GitHub
parent 92e5397113
commit 29ddf7140e
9 changed files with 190 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
_data/tasks.yml
View File

@ -29,6 +29,10 @@ toc:
- docs/tasks/configure-pod-container/configure-pod-initialization.md
- docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
- docs/tasks/configure-pod-container/configure-pod-disruption-budget.md
- docs/tasks/configure-pod-container/declare-network-policy.md
- docs/tasks/configure-pod-container/calico-network-policy.md
- docs/tasks/configure-pod-container/romana-network-policy.md
- docs/tasks/configure-pod-container/weave-network-policy.md
- docs/tools/kompose/user-guide.md
- title: Running Applications

29
docs/getting-started-guides/network-policy/calico.md
View File

@ -4,31 +4,6 @@ assignees:
title: Using Calico for NetworkPolicy
---
You can deploy a cluster using Calico for network policy in the default [GCE deployment](/docs/getting-started-guides/gce) using the following set of commands:
{% include user-guide-content-moved.md %}
```shell
export NETWORK_POLICY_PROVIDER=calico
export KUBE_NODE_OS_DISTRIBUTION=debian
curl -sS https://get.k8s.io | bash
```
See the [Calico documentation](http://docs.projectcalico.org/) for more options to deploy Calico with Kubernetes.
Once your cluster using Calico is running, you should see a collection of pods running in the `kube-system` Namespace that support Kubernetes NetworkPolicy.
```console
$ kubectl get pods --namespace=kube-system
NAME READY STATUS RESTARTS AGE
calico-node-kubernetes-minion-group-jck6 1/1 Running 0 46m
calico-node-kubernetes-minion-group-k9jy 1/1 Running 0 46m
calico-node-kubernetes-minion-group-szgr 1/1 Running 0 46m
calico-policy-controller-65rw1 1/1 Running 0 46m
...
```
There are two main components to be aware of:
- One `calico-node` Pod runs on each node in your cluster, and enforces network policy on the traffic to/from Pods on that machine by configuring iptables.
- The `calico-policy-controller` Pod reads policy and label information from the Kubernetes API and configures Calico appropriately.
Once your cluster is running, you can follow the [NetworkPolicy getting started guide](/docs/getting-started-guides/network-policy/walkthrough) to try out Kubernetes NetworkPolicy.
[Using Calico for NetworkPolicy](/docs/tasks/configure-pod-container/calico-network-policy/)

11
docs/getting-started-guides/network-policy/romana.md
View File

@ -4,14 +4,7 @@ assignees:
title: Using Romana for NetworkPolicy
---
# Installation with kubeadm
{% include user-guide-content-moved.md %}
Begin by following the [kubeadm getting started guide](/docs/getting-started-guides/kubeadm/) and complete steps 1, 2, and 3. Once completed, follow the [containerized installation guide](https://github.com/romana/romana/tree/master/containerize) for kubeadmin. Kubernetes network policies can then be applied to pods using the NetworkPolicy API.
#### Additional Romana Network Policy Options
In addition to the standard Kubernetes NetworkPolicy API, Romana also supports additional network policy functions.
* [Romana Network Policy Capabilities](https://github.com/romana/romana/wiki/Romana-policies)
* [Example Romana Policies](https://github.com/romana/core/tree/master/policy)
[Using Romana for NetworkPolicy](/docs/tasks/configure-pod-container/romana-network-policy/)

111
docs/getting-started-guides/network-policy/walkthrough.md
View File

@ -4,113 +4,6 @@ assignees:
title: Example Walkthrough
---
Kubernetes can be used to declare network policies which govern how Pods can communicate with each other. This document helps you get started using the Kubernetes [NetworkPolicy API](/docs/user-guide/networkpolicies), and provides a demonstration thereof.
{% include user-guide-content-moved.md %}
In this article, we assume a Kubernetes cluster has been created with network policy support. There are a number of network providers that support NetworkPolicy including:
* [Calico](/docs/getting-started-guides/network-policy/calico/)
* [Romana](/docs/getting-started-guides/network-policy/romana/)
* [Weave Net](/docs/getting-started-guides/network-policy/weave/)
Add-ons are sorted alphabetically - the ordering does not imply any preferential status.
The following example walkthrough will work on a Kubernetes cluster using any of the listed providers.
## Using NetworkPolicy
To explain how Kubernetes network policy works let's start off by creating an `nginx` Deployment and expose it via a Service.
```console
$ kubectl run nginx --image=nginx --replicas=2
deployment "nginx" created
$ kubectl expose deployment nginx --port=80
service "nginx" exposed
```
This will run two nginx Pods in the default Namespace, and expose them through a Service called `nginx`.
```console
$ kubectl get svc,pod
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc/kubernetes 10.100.0.1 <none> 443/TCP 46m
svc/nginx 10.100.0.16 <none> 80/TCP 33s
NAME READY STATUS RESTARTS AGE
po/nginx-701339712-e0qfq 1/1 Running 0 35s
po/nginx-701339712-o00ef 1/1 Running 0 35s
```
We should be able to access our new nginx Service from other Pods. Let's try to access it from another Pod
in the default namespace. We haven't put any network policy in place, so this should just work. Start a
busybox container, and use `wget` to hit the nginx Service:
```console
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ #
```
Let's say we want to limit access to our nginx Service so that only pods with the label `access: true` can query it. First, we'll
enable ingress isolation on the `default` Namespace. This will prevent _any_ pods from accessing the nginx Service.
```console
$ kubectl annotate ns default "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultDeny\"}}"
```
With ingress isolation in place, we should no longer be able to access the nginx Service like we were able to before.
Let's now create a `NetworkPolicy` which allows connections from pods with the label `access: true`.
```yaml
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
```
Use kubectl to create the above nginx-policy.yaml file:
```console
$ kubectl create -f nginx-policy.yaml
networkpolicy "access-nginx" created
```
If we attempt to access the nginx Service from a pod without the correct labels, the request will timeout:
```console
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
wget: download timed out
/ #
```
However, if we create a Pod with the correct labels, the request will be allowed:
```console
$ kubectl run busybox --rm -ti --labels="access=true" --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ #
```
[Declaring Network Policy](/docs/tasks/configure-pod-container/declare-network-policy/)

6
docs/getting-started-guides/network-policy/weave.md
View File

@ -4,8 +4,6 @@ assignees:
title: Using Weave Net for NetworkPolicy
---
The [Weave Net Addon](https://www.weave.works/docs/net/latest/kube-addon/) for Kubernetes comes with a Network Policy Controller.
{% include user-guide-content-moved.md %}
This component automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces, and configures `iptables` rules to allow or block traffic as directed by the policies.
Once you have installed the Weave Net Addon you can follow the [NetworkPolicy getting started guide](/docs/getting-started-guides/network-policy/walkthrough) to try out Kubernetes NetworkPolicy.
[Using Weave for NetworkPolicy](/docs/tasks/configure-pod-container.md/)

34
docs/tasks/configure-pod-container/calico-network-policy.md Normal file
View File

@ -0,0 +1,34 @@
---
assignees:
- caseydavenport
title: Using Calico for NetworkPolicy
---
You can deploy a cluster using Calico for network policy in the default [GCE deployment](/docs/getting-started-guides/gce) using the following set of commands:
```shell
export NETWORK_POLICY_PROVIDER=calico
export KUBE_NODE_OS_DISTRIBUTION=debian
curl -sS https://get.k8s.io | bash
```
See the [Calico documentation](http://docs.projectcalico.org/) for more options to deploy Calico with Kubernetes.
Once your cluster using Calico is running, you should see a collection of pods running in the `kube-system` Namespace that support Kubernetes NetworkPolicy.
```console
$ kubectl get pods --namespace=kube-system
NAME READY STATUS RESTARTS AGE
calico-node-kubernetes-minion-group-jck6 1/1 Running 0 46m
calico-node-kubernetes-minion-group-k9jy 1/1 Running 0 46m
calico-node-kubernetes-minion-group-szgr 1/1 Running 0 46m
calico-policy-controller-65rw1 1/1 Running 0 46m
...
```
There are two main components to be aware of:
- One `calico-node` Pod runs on each node in your cluster, and enforces network policy on the traffic to/from Pods on that machine by configuring iptables.
- The `calico-policy-controller` Pod reads policy and label information from the Kubernetes API and configures Calico appropriately.
Once your cluster is running, you can follow the [NetworkPolicy getting started guide](/docs/getting-started-guides/network-policy/walkthrough) to try out Kubernetes NetworkPolicy.

116
docs/tasks/configure-pod-container/declare-network-policy.md Normal file
View File

@ -0,0 +1,116 @@
---
assignees:
- caseydavenport
title: Example Walkthrough
---
Kubernetes can be used to declare network policies which govern how Pods can communicate with each other. This document helps you get started using the Kubernetes [NetworkPolicy API](/docs/user-guide/networkpolicies), and provides a demonstration thereof.
In this article, we assume a Kubernetes cluster has been created with network policy support. There are a number of network providers that support NetworkPolicy including:
* [Calico](/docs/getting-started-guides/network-policy/calico/)
* [Romana](/docs/getting-started-guides/network-policy/romana/)
* [Weave Net](/docs/getting-started-guides/network-policy/weave/)
Add-ons are sorted alphabetically - the ordering does not imply any preferential status.
The following example walkthrough will work on a Kubernetes cluster using any of the listed providers.
## Using NetworkPolicy
To explain how Kubernetes network policy works let's start off by creating an `nginx` Deployment and expose it via a Service.
```console
$ kubectl run nginx --image=nginx --replicas=2
deployment "nginx" created
$ kubectl expose deployment nginx --port=80
service "nginx" exposed
```
This will run two nginx Pods in the default Namespace, and expose them through a Service called `nginx`.
```console
$ kubectl get svc,pod
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc/kubernetes 10.100.0.1 <none> 443/TCP 46m
svc/nginx 10.100.0.16 <none> 80/TCP 33s
NAME READY STATUS RESTARTS AGE
po/nginx-701339712-e0qfq 1/1 Running 0 35s
po/nginx-701339712-o00ef 1/1 Running 0 35s
```
We should be able to access our new nginx Service from other Pods. Let's try to access it from another Pod
in the default namespace. We haven't put any network policy in place, so this should just work. Start a
busybox container, and use `wget` to hit the nginx Service:
```console
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ #
```
Let's say we want to limit access to our nginx Service so that only pods with the label `access: true` can query it. First, we'll
enable ingress isolation on the `default` Namespace. This will prevent _any_ pods from accessing the nginx Service.
```console
$ kubectl annotate ns default "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultDeny\"}}"
```
With ingress isolation in place, we should no longer be able to access the nginx Service like we were able to before.
Let's now create a `NetworkPolicy` which allows connections from pods with the label `access: true`.
```yaml
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
```
Use kubectl to create the above nginx-policy.yaml file:
```console
$ kubectl create -f nginx-policy.yaml
networkpolicy "access-nginx" created
```
If we attempt to access the nginx Service from a pod without the correct labels, the request will timeout:
```console
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
wget: download timed out
/ #
```
However, if we create a Pod with the correct labels, the request will be allowed:
```console
$ kubectl run busybox --rm -ti --labels="access=true" --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ #
```

17
docs/tasks/configure-pod-container/romana-network-policy.md Normal file
View File

@ -0,0 +1,17 @@
---
assignees:
- chrismarino
title: Using Romana for NetworkPolicy
---
# Installation with kubeadm
Begin by following the [kubeadm getting started guide](/docs/getting-started-guides/kubeadm/) and complete steps 1, 2, and 3. Once completed, follow the [containerized installation guide](https://github.com/romana/romana/tree/master/containerize) for kubeadmin. Kubernetes network policies can then be applied to pods using the NetworkPolicy API.
#### Additional Romana Network Policy Options
In addition to the standard Kubernetes NetworkPolicy API, Romana also supports additional network policy functions.
* [Romana Network Policy Capabilities](https://github.com/romana/romana/wiki/Romana-policies)
* [Example Romana Policies](https://github.com/romana/core/tree/master/policy)

11
docs/tasks/configure-pod-container/weave-network-policy.md Normal file
View File

@ -0,0 +1,11 @@
---
assignees:
- bboreham
title: Using Weave Net for NetworkPolicy
---
The [Weave Net Addon](https://www.weave.works/docs/net/latest/kube-addon/) for Kubernetes comes with a Network Policy Controller.
This component automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces, and configures `iptables` rules to allow or block traffic as directed by the policies.
Once you have installed the Weave Net Addon you can follow the [NetworkPolicy getting started guide](/docs/getting-started-guides/network-policy/walkthrough) to try out Kubernetes NetworkPolicy.