From ae9c4315b1697052a547d150ebfe395a75a3f633 Mon Sep 17 00:00:00 2001 From: Martynas Pumputis Date: Thu, 25 Jan 2018 23:29:40 +0100 Subject: [PATCH] Update weave-network-policy.md (#6960) - Remove the obsolete example. - Include support links. --- .../weave-network-policy.md | 132 +----------------- 1 file changed, 3 insertions(+), 129 deletions(-) diff --git a/docs/tasks/administer-cluster/weave-network-policy.md b/docs/tasks/administer-cluster/weave-network-policy.md index 6838674c09..31ff6b5b5a 100644 --- a/docs/tasks/administer-cluster/weave-network-policy.md +++ b/docs/tasks/administer-cluster/weave-network-policy.md @@ -12,7 +12,7 @@ This page shows how to use Weave Net for NetworkPolicy. {% capture prerequisites %} -Complete steps 1, 2, and 3 of the [kubeadm getting started guide](/docs/getting-started-guides/kubeadm/). +You need to have a Kubernetes cluster. Follow the [kubeadm getting started guide](/docs/getting-started-guides/kubeadm/) to bootstrap one. {% endcapture %} @@ -24,84 +24,9 @@ Follow the [Integrating Kubernetes via the Addon](https://www.weave.works/docs/n The Weave Net addon for Kubernetes comes with a [Network Policy Controller](https://www.weave.works/docs/net/latest/kube-addon/#npc) that automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces and configures `iptables` rules to allow or block traffic as directed by the policies. -## Namespace isolation example - -1. Create a Namespace with `DefaultDeny`. - -```yaml -kind: Namespace -apiVersion: v1 -metadata: - name: myns - annotations: - net.beta.kubernetes.io/network-policy: | - { - "ingress": { - "isolation": "DefaultDeny" - } - } -``` - -2. Create 2 Pods inside this Namespace. - -```yaml -kind: Pod -apiVersion: v1 -metadata: - name: pod1 - namespace: myns - labels: - inns: "yes" -spec: - containers: - - name: pod1 - image: nginx ---- -kind: Pod -apiVersion: v1 -metadata: - name: pod2 - namespace: myns - labels: - inns: "yes" -spec: - containers: - - name: pod2 - image: nginx -``` - -3. Get the IP addresses of the Pods. - -```shell -kubectl get po -n myns -o wide -``` -**Note:** If your cURL requests to Pods are forbidden, try making cURL requests to other Pods from within a Pod. -{: .note} - -4. Create a Kubernetes NetworkPolicy that allows Pods within the same Namespace to connect with each other. - -```yaml -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: aaa - namespace: myns -spec: - podSelector: - matchExpressions: - - {key: inns, operator: In, values: ["yes"]} - ingress: - - from: - - podSelector: - matchExpressions: - - {key: inns, operator: In, values: ["yes"]} -``` -**Caution:** After applying the network policy, pods outside the namespace you specify may be unable to connect with pods inside the namespace. -{. :caution} - ## Test the installation -1. Verify that the weave works. +Verify that the weave works. Enter the following command: @@ -121,62 +46,11 @@ weave-net-pmw8w 2/2 Running 0 9d Each Node has a weave Pod, and all Pods are `Running` and `2/2 READY`. (`2/2` means that each Pod has `weave` and `weave-npc`.) -2. Create a Network Policy. - -For more information, see "[Declare Network Policy](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/)". - -3. Check the logs. - -After creating a NetworkPolicy, check the logs: - -```shell -kubectl logs -f weave-net-pmw8w weave-npc -n kube-system -``` - -Log output looks like this: - -```log -INFO: 2017/08/14 02:22:32.511992 EVENT AddNetworkPolicy {"metadata":{"name":"aaa","namespace":"myns","selfLink":"/apis/extensions/v1beta1/namespaces/myns/networkpolicies/aaa","uid":"67b229fd-8097-11e7-92f3-005056a3bc75","resourceVersion":"1507955","generation":1,"creationTimestamp":"2017-08-14T02:22:22Z"},"spec":{"podSelector":{"matchExpressions":[{"key":"inns","operator":"In","values":["yes"]}]},"ingress":[{"from":[{"podSelector":{"matchExpressions":[{"key":"inns","operator":"In","values":["yes"]}]}}]}]}} -INFO: 2017/08/14 02:22:32.512103 creating ipset: &npc.selectorSpec{key:"inns in (yes)", selector:labels.internalSelector{labels.Requirement{key:"inns", operator:"in", strValues:[]string{"yes"}}}, ipsetType:"hash:ip", ipsetName:"weave-[T]a=ETzaKA{o*muaFe:2IX(t"} -INFO: 2017/08/14 02:22:32.538003 adding rule: [-m set --match-set weave-[T]a=ETzaKA{o*muaFe:2IX(t src -m set --match-set weave-[T]a=ETzaKA{o*muaFe:2IX(t dst -j ACCEPT] -^[^C -``` - -4. Finally, check the logs for iptables. - -```shell -iptables -L -``` - -The output is similar to this: - -```iptables -Chain WEAVE-NPC (1 references) -target prot opt source destination -ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED -ACCEPT all -- anywhere base-address.mcast.net/4 -WEAVE-NPC-DEFAULT all -- anywhere anywhere state NEW -WEAVE-NPC-INGRESS all -- anywhere anywhere state NEW -ACCEPT all -- anywhere anywhere ! match-set weave-local-pods dst - -Chain WEAVE-NPC-DEFAULT (1 references) -target prot opt source destination -ACCEPT all -- anywhere anywhere match-set weave-iuZcey(5DeXbzgRFs8Szo]+@p dst -ACCEPT all -- anywhere anywhere match-set weave-k?Z;25^M}|1s7P3|H9i;*;MhG dst -ACCEPT all -- anywhere anywhere match-set weave-4vtqMI+kx/2]jD%_c0S%thO%V dst - -Chain WEAVE-NPC-INGRESS (1 references) -target prot opt source destination -ACCEPT all -- anywhere anywhere match-set weave-[T]a=ETzaKA{o*muaFe:2IX(t src match-set weave-[T]a=ETzaKA{o*muaFe:2IX(t dst -``` - -The match-set labels have been applied to iptables, so the weave is working correctly. - {% endcapture %} {% capture whatsnext %} -Once you have installed the Weave Net addon, you can follow the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/) to try out Kubernetes NetworkPolicy. +Once you have installed the Weave Net addon, you can follow the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/) to try out Kubernetes NetworkPolicy. If you have any question, contact us at [#weave-community on Slack or Weave User Group](https://github.com/weaveworks/weave#getting-help). {% endcapture %}