kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
website/docs/tasks/administer-cluster/weave-network-policy.md

2.5 KiB
Raw Blame History

approvers title
bboreham
Weave Net for NetworkPolicy

{% capture overview %}

This page shows how to use Weave Net for NetworkPolicy.

{% endcapture %}

{% capture prerequisites %}

Complete steps 1, 2, and 3 of the kubeadm getting started guide.

{% endcapture %}

{% capture steps %}

Installing Weave Net addon

Follow the Integrating Kubernetes via the Addon guide.

The Weave Net Addon for Kubernetes comes with a Network Policy Controller that automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces and configures iptables rules to allow or block traffic as directed by the policies.

{% endcapture %}

{% capture example %}

Namespace isolation example

  1. Create a namespace with DefaultDeny.
kind: Namespace
apiVersion: v1
metadata:
  name: myns
  annotations:
    net.beta.kubernetes.io/network-policy: |
      {
        "ingress": {
          "isolation": "DefaultDeny"
        }
      }
  1. Create 2 pods inside this namespace.
kind: Pod
apiVersion: v1
metadata:
  name: pod1
  namespace: myns
  labels:
    inns: "yes"
spec:
  containers:
  - name: pod1
    image: nginx
---
kind: Pod
apiVersion: v1
metadata:
  name: pod2
  namespace: myns
  labels:
    inns: "yes"
spec:
  containers:
  - name: pod2
    image: nginx
  1. Get the IP addresses of the pods.
kubectl get po -n myns -o wide

Note: If your cURL requests to pods are forbidden, try making cURL requests to other pods from within a pod. {: .note}

  1. Create a Kubernetes NetworkPolicy that allows pods within the same namespace to connect with each other.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: aaa
  namespace: myns
spec:
  podSelector:
    matchExpressions:
      - {key: inns, operator: In, values: ["yes"]}
  ingress:
    - from:
        - podSelector:
             matchExpressions:
               - {key: inns, operator: In, values: ["yes"]}

Caution: After applying the network policy, pods outside the namespace you specify may be unable to connect with pods inside the namespace. {. :caution}

{% endcapture %}

{% capture whatsnext %}

Once you have installed the Weave Net addon, you can follow the NetworkPolicy getting started guide to try out Kubernetes NetworkPolicy.

{% endcapture %}

{% include templates/task.md %}