Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
  • Labs icon Lab
  • A Cloud Guru
Google Cloud Platform icon
Labs

Network Policy with Calico

This lab covers the Kubernetes feature of Network Policy. The lab utilizes the `kops` installer to create a cluster using the Calico network overlay. The student is guided through the process of first creating a network policy that prohibits pod access, followed by another policy that grants pod access to certain clients and a named server.

Try for free Contact sales
Google Cloud Platform icon
Labs

Path Info

Level
Clock icon Intermediate
Duration
Clock icon 1h 0m
Published
Clock icon May 24, 2019

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

Table of Contents

  1. Challenge

    Create the Kubernetes Cluster

    The k8s-create.sh script should be in the cloud_user's home directory. You may list the directory contents with:

    $ ls -l

    To run the script, enter the following command:

    Note: Be sure to have a space between the . and the ./ in front of the script. This ensures that environment variables set in the script are then available to the parent shell.

    $ . ./k8s-create.sh

    Once the cluster configuration has been created, you can apply the configuration with this command:

    $ kops update cluster -y

    Note: To view the cluster servers as they are being created, you may use the aws console and credentials provided.

    You may validate the cluster with the command:

    $ kops validate cluster

    It will give errors until the cluster is fully configured.

    When complete, it should report that the cluster is ready.

    Verify the cluster is running with:

    $ kubectl get nodes

  2. Challenge

    Configure the Required Namespace

    To configure a namespace for our lab, you may create a namespace called 'policy-demo' by entering:

    $ kubectl create ns policy-demo

    The command should respond with an affirmation that the namespace was created.

  3. Challenge

    Create the Demo Pods

    Run two replicas of the nginx service:

    $ kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx

    Expose the service on port 80:

    $ kubectl expose --namespace=policy-demo deployment nginx --port=80

    Run an interactive session in a pod called access using the busybox image:

    $ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh

    Once inside the image, type this command to verify access to the nginx server:

    / # wget -q nginx -O -

    This should respond with the raw html from nginx.

    To exit the interactive container session:

    / # exit

  4. Challenge

    Enable Isolation

    To download the yaml file:

    $ wget https://raw.github.com/linuxacademy/content-kubernetes-security-ac/master/default-deny.yaml

    To view the yaml file:

    $ more default-deny.yaml

    To create the policy:

    $ kubectl create -f default-deny.yaml

  5. Challenge

    Test Isolation

    To view that the nginx pods are running:

    $ kubectl --namespace=policy-demo get pods

    To run an interactive container to test access:

    $ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh

    Within the access container, enter:

    / # wget -q --timeout=5 nginx -O -

    Note: You should receive a timeout in 5 seconds.

    To exit the container shell:

    / # exit

  6. Challenge

    Allow Restricted Access Using a Network Policy

    To download the yaml file:

    $ wget https://raw.github.com/linuxacademy/content-kubernetes-security-ac/master/access-nginx.yaml

    To look at the file:

    $ more access-nginx.yaml

    To create the policy:

    $ kubectl create -f access-nginx.yaml

  7. Challenge

    Verify Access to nginx from the access Pod

    Run an interactive pod called access with an interactive shell:

    $ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh

    Once inside the container session, test nginx access:

    / # wget -q --timeout=5 nginx -O -

    Note: Since we are in a pod named 'access' we should be able to access the nginx service.

    To exit the container shell:

    / # exit

  8. Challenge

    Verify That Access to nginx Is Not Allowed from Another Pod

    Run a container shell in a pod called 'not-access':

    $ kubectl run --namespace=policy-demo not-access --rm -ti --image busybox /bin/sh

    Within the container attempt to access nginx:

    / # wget -q --timeout=5 nginx -O -

    Note: This command should timeout after 5 seconds.

    To exit the container shell:

    / # exit

  9. Challenge

    Delete the Namespace to Clean Up

    To delete the namespace and thus terminate the running pods and nullify the network policies created, enter:

    $ kubectl delete ns policy-demo
A Cloud Guru - Labs - Network Policy with Calico
Author
A Cloud Guru

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Provided environment for hands-on practice

We will provide the credentials and environment necessary for you to practice right within your browser.

Guided walkthrough

Follow along with the author’s guided walkthrough and build something new in your provided environment!

Did you know?

On average, you retain 75% more of your learning if you get time for practice.

Start learning by doing today

View Plans