install calico policy add-on
kubectl apply -f calico.yaml
daemonset.extensions "calico-node" created
customresourcedefinition.apiextensions.k8s.io "felixconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "bgpconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "ippools.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "hostendpoints.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "clusterinformations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworkpolicies.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworksets.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "networkpolicies.crd.projectcalico.org" created
serviceaccount "calico-node" created
clusterrole.rbac.authorization.k8s.io "calico-node" created
clusterrolebinding.rbac.authorization.k8s.io "calico-node" created
deployment.extensions "calico-typha" created
clusterrolebinding.rbac.authorization.k8s.io "typha-cpha" created
clusterrole.rbac.authorization.k8s.io "typha-cpha" created
configmap "calico-typha-horizontal-autoscaler" created
deployment.extensions "calico-typha-horizontal-autoscaler" created
role.rbac.authorization.k8s.io "typha-cpha" created
serviceaccount "typha-cpha" created
rolebinding.rbac.authorization.k8s.io "typha-cpha" created
service "calico-typha" created
$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ # wget -q --timeout=5 nginx -O -
Run a Pod without label and try to access the nginx Service.
$ kubectl run --namespace=policy-demo cant-access --rm -ti --image busybox /bin/sh
Waiting for pod policy-demo/cant-access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
liwenwu-amazon
commented
5 years ago
install calico policy add-on kubectl apply -f calico.yaml daemonset.extensions "calico-node" created customresourcedefinition.apiextensions.k8s.io "felixconfigurations.crd.projectcalico.org" created customresourcedefinition.apiextensions.k8s.io "bgpconfigurations.crd.projectcalico.org" created customresourcedefinition.apiextensions.k8s.io "ippools.crd.projectcalico.org" created customresourcedefinition.apiextensions.k8s.io "hostendpoints.crd.projectcalico.org" created customresourcedefinition.apiextensions.k8s.io "clusterinformations.crd.projectcalico.org" created customresourcedefinition.apiextensions.k8s.io "globalnetworkpolicies.crd.projectcalico.org" created customresourcedefinition.apiextensions.k8s.io "globalnetworksets.crd.projectcalico.org" created customresourcedefinition.apiextensions.k8s.io "networkpolicies.crd.projectcalico.org" created serviceaccount "calico-node" created clusterrole.rbac.authorization.k8s.io "calico-node" created clusterrolebinding.rbac.authorization.k8s.io "calico-node" created deployment.extensions "calico-typha" created clusterrolebinding.rbac.authorization.k8s.io "typha-cpha" created clusterrole.rbac.authorization.k8s.io "typha-cpha" created configmap "calico-typha-horizontal-autoscaler" created deployment.extensions "calico-typha-horizontal-autoscaler" created role.rbac.authorization.k8s.io "typha-cpha" created serviceaccount "typha-cpha" created rolebinding.rbac.authorization.k8s.io "typha-cpha" created service "calico-typha" created
Examine calico add-on kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE aws-node-2c5zn 1/1 Running 0 3h aws-node-ng546 1/1 Running 0 3h aws-node-wx4nh 1/1 Running 1 3h calico-node-g779n 1/1 Running 0 1m calico-node-k2svs 1/1 Running 0 1m calico-node-wmzbw 1/1 Running 0 1m calico-typha-75667d89cb-7m4jr 1/1 Running 0 1m calico-typha-horizontal-autoscaler-78f747b679-qf965 1/1 Running 0 1m kube-dns-64b69465b4-57l8d 3/3 Running 0 8h kube-proxy-8mf7f 1/1 Running 0 3h kube-proxy-9t9n8 1/1 Running 0 3h kube-proxy-nmnz9 1/1 Running 0 3h Simple Policy Demo Configure Namespaces kubectl create ns policy-demo Create demo pods
Run the Pods.
kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx
Create the Service.
kubectl expose --namespace=policy-demo deployment nginx --port=80
Run a Pod and try to access the
nginxService.$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ # wget -q nginx -O -
enable isolation
kubectl create -f - <<EOF kind: NetworkPolicy apiVersion: extensions/v1beta1 metadata: name: default-deny namespace: policy-demo spec: podSelector: matchLabels: {} EOF
test isolation
Run a Pod and try to access the
nginxService.$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ # wget -q --timeout=5 nginx -O - wget: download timed out / # Allow Access using a Network Policy kubectl create -f - <<EOF kind: NetworkPolicy apiVersion: extensions/v1beta1 metadata: name: access-nginx namespace: policy-demo spec: podSelector: matchLabels: run: nginx ingress:
with label is able to access nginx
Run a Pod and try to access the
nginxService.$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ # wget -q --timeout=5 nginx -O -
Run a Pod without label and try to access the
nginxService.$ kubectl run --namespace=policy-demo cant-access --rm -ti --image busybox /bin/sh Waiting for pod policy-demo/cant-access-472357175-y0m47 to be running, status is Pending, pod ready: false
If you don't see a command prompt, try pressing enter.
/ # wget -q --timeout=5 nginx -O - wget: download timed out / #
cleanup
kubectl delete ns policy-demo