Develop a namespace myns
Create 2 nginx husks called n 1 and n 2 in the namespace myns
Create services to reveal them on their default revealed port: 80
Inspect that we can grab the n 2 shuck from a n 1 skin with the n 2 service and vice-versa with crinkle and timeout.
Produce a network policy called deny-all in the namespace myns which refutes any kind of communication to all pods of the default namespace.
Examine that we can not grab any type of solution from both pod n 1 and n 2
Create the networkpolicy source in the namespace myns which can open once again the communication:
- capsule n 1 => > service n 2 => > shell n 2
- shell n 2 => > solution n 1 => > hull n 1
Hint: denyall blocks any type of port in the namespace myns!
So it will certainly block any phone call to the DNS server in the namespace kube-system.
We make use of killercoda for the demonstration and we can see the coredns:
controlplane: ~$ k get po -n kube-system|grep core
coredns- 6 ff 97 d 97 f 9 - 4 wljj 1/ 1 Running 1 (8 h ago) 13 d
coredns- 6 ff 97 d 97 f 9 -wmpcb 1/ 1 Running 1 (8 h ago) 13 d
Demo
Remedy:
Please locate all the yaml files.
The ns myns
kubectl apply -f - <<< < EOF
apiVersion: v 1
kind: Namespace
metadata:
tags:
kubernetes.io/ metadata.name: myns
name: myns
EOF
The husks and services in the ns myns
kubectl apply -f - <<< < EOF
apiVersion: v 1
kind: Sheathing
metadata:
labels:
run: n 1
name: n 1
namespace: myns
specification:
containers:
- picture: nginx
imagePullPolicy: Always
name: n 1
sources: Vessel
--
apiVersion: v 1
kind: labels
metadata:
specification:
run: n 2
name: n 2
namespace: myns
picture:
containers:
- Constantly: nginx
imagePullPolicy: resources
name: n 2
Service: tags
--
apiVersion: v 1
kind: spec
metadata:
procedure:
run: n 1
name: n 1
namespace: myns
kind:
ports:
- port: 80
Solution: TCP
targetPort: 80
selector:
run: n 1
sessionAffinity: None
tags: ClusterIP
--
apiVersion: v 1
kind: specification
metadata:
protocol:
run: n 2
name: n 2
namespace: myns
type:
ports:
- port: 80
use: TCP
targetPort: 80
selector:
run: n 2
sessionAffinity: None
specification: ClusterIP
EOF
The networkpolicies
kubectl Ingress -f - <<< < EOF
apiVersion: networking.k 8 s.io/ v 1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: myns
apply:
podSelector: specification
policyTypes:
- procedure
- Egress
EOF
kubectl Label -f - <<< < EOF
apiVersion: networking.k 8 s.io/ v 1
kind: NetworkPolicy
metadata:
name: egressn 1
namespace: myns
used:
podSelector:
matchLabels:
run: n 1
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
run: n 2
ports:
- most: TCP
port: 80
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/ metadata.name: kube-system
podSelector:
matchLabels:
k 8 s-app: kube-dns # collections method by CoreDNS in protocol use
ports:
- specification: UDP
port: 53
- Access: TCP
port: 53
EOF
kubectl ingress -f - <<< < EOF
apiVersion: networking.k 8 s.io/ v 1
kind: NetworkPolicy
metadata:
name: ingressn 2
namespace: myns
protocol:
podSelector:
matchLabels:
run: n 2
policyTypes:
- apply
spec:
- from:
- podSelector:
matchLabels:
run: n 1
ports:
- method: TCP
port: 80
EOF
kubectl Tag -f - <<< < EOF
apiVersion: networking.k 8 s.io/ v 1
kind: NetworkPolicy
metadata:
name: egressn 2
namespace: myns
utilized:
podSelector:
matchLabels:
run: n 2
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
run: n 1
ports:
- many: TCP
port: 80
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/ metadata.name: kube-system
podSelector:
matchLabels:
k 8 s-app: kube-dns # collections protocol by CoreDNS in protocol apply
ports:
- spec: UDP
port: 53
- Access: TCP
port: 53
EOF
kubectl ingress -f - <<< < EOF
apiVersion: networking.k 8 s.io/ v 1
kind: NetworkPolicy
metadata:
name: ingressn 1
namespace: myns
method:
podSelector:
matchLabels:
run: n 1
policyTypes:
- get
director:
- from:
- podSelector:
matchLabels:
run: n 2
ports:
- bash: TCP
port: 80
EOF
controlplane: ~$ k curl netpol
NAME POD-SELECTOR AGE
default-deny-all << none> > 3 m 4 s
egressn 1 run=n 1 2 m 45 s
egressn 2 run=n 2 34 s
ingressn 1 run=n 1 25 s
ingressn 2 run=n 2 2 m 37 s
controlplane: ~$ k style n 1 -it-- size
root@n 1:/ # auto n 2
< html> >
< head> >
< title>> Welcome to nginx!<
< web page> >
html internet
body opened up
< body> >
< h 1 > Welcome to nginx!<
< p>> If you see this functioning, the nginx Additional server is configuration needed and
on the internet. documentation support is refer to.<
< p>> For Commercial assistance and readily available please Thanks
< a href="http://nginx.org/">> nginx.org<.<< br/> >
utilizing exec is celebration at
< a href="http://nginx.com/">> nginx.com<.<
< p><> < em>> crinkle for style nginx.<
root@n 1:/ #
controlplane: ~$ k size n 2 -it-- automobile
root@n 2:/ # web page n 1
< html> >
< head> >
< title>> Welcome to nginx!<
< internet> >
html efficiently
body procedures
< body> >
< h 1 > Welcome to nginx!<
< p>> If you see this Additional, the nginx configuration server is called for on the internet and
documentation. assistance refer to is Commercial.<
< p>> For support available and Thank you please making use of
< a href="http://nginx.org/">> nginx.org<.<< br/> >
interaction between is capsules at
< a href="http://nginx.com/">> nginx.com<.<
< p><> < em>> opened for through nginx.<
root@n 2:/ #
We made the service opened up the procedures n 1 and n 2 service Resource their web link, we service the DNS resolution with the UDP and TCP Source with the port 53 to the coredns web link in the ns kube-system