Configuring network policies
In some cases you want to explicitly allow access to your application. This can be done by creating network policies. Otomi supports 2 types of network policies:
- Policies for ingress traffic inside the cluster
- Policies for egress traffic to go outside of the cluster (to access external FQDNs)
Understanding Internal Ingress Network Policies
The internal ingress network policies allow you to:
- Deny all traffic to Pods (default mode)
- Allow selected Workload Pods running on the cluster to access your Workload's Pods
- Allow all traffic to the Pods of a Workload
Deny all and Allow all we don't need to explain right?
The Ingress Network Policies in Otomi rely on Pod labels. We require that a single label covers Pods for a given workload. We recommend to use the otomi.io/app: <workload-name> label.
To allow other Workloads in the cluster to access your Workload's Pods, follow these steps:
- Navigate to the
Network Policiespage in the Otomi Console and clickCreate Netpol. - Name the network policy and select the
ingressrule type. - Add the selector label name and value for the Workload Pods to be accessed. E.g.: use the
otomi.io/applabel. - Select either
AllowAllorAllowOnlymode. - If you select
AllowOnly, specify the namespace (e.g.,team-labs), and the selector label name and value for the Workload Pods to be accessed. - Add more rules if needed.
Understanding Egress Network Policies
The egress network policies allow you to:
- Deny all traffic from the Pods of a Workload (default)
- Allow all Pods within a namespace to access external FQDNs or IPs through an egress rule.
To allow your Workload's Pods to access external FQDNs or IPs, follow these steps:
- Navigate to the
Network Policiespage in the Otomi Console and clickCreate Netpol. - Name the network policy and select the
egressrule type. - Add the FQDN or IP to be accessed.
- Add port number(s) and protocol if needed.
The egress rules are namespace wide. You cannot bind egress policy to a given workload only.
Setting Up Network Policies for the Example Voting App: An Ingress Example
Build Images for the Application
Build the Vote, Worker and Result images from this repo.
Use the Build feature in Otomi to build the images with mode: Docker. Set the path to ./vote/Dockerfile for the Vote image (and ./worker/Dockerfile for the Worker and ./result/Dockerfile for Result).
Create a Redis Cluster and a PostgreSQL Database
Use the postgresql and the redis charts from the Catalog to create a Redis master-replica cluster and a PostgreSQL database. For this lab, Redis authentication needs to be turned off by setting auth.enabled=false.
Deploy the Vote App
Use the k8s-deployment chart to deploy the vote app. Use the following values:
Name: vote
containerPorts:
- name: http
containerPort: 80
protocol: TCP
env:
- name: REDIS_HOST
value: <redis-cluster-name>-master
Deploy the Worker App
Use the k8s-deployment chart to deploy the worker app. Use the following values:
Name: worker
containerPorts:
- name: http
containerPort: 80
protocol: TCP
env:
- name: DATABASE_USER
valueFrom:
secretKeyRef:
name: <psql-cluster-name>-superuser
key: username
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: <psql-cluster-name>-superuser
key: password
- name: REDIS_HOST
value: <redis-cluster-name>-master
- name: DATABASE_HOST
value: <psql-cluster-name>-rw
Deploy the Result App
Use the k8s-deployment chart to deploy the result app. Use the following values:
Name: result
containerPorts:
- name: http
containerPort: 80
protocol: TCP
env:
- name: DATABASE_USER
valueFrom:
secretKeyRef:
name: <psql-cluster-name>-superuser
key: username
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: <psql-cluster-name>-superuser
key: password
- name: DATABASE_HOST
value: <psql-cluster-name>-rw
Register the Services for Exposure
Postgres Database
- Register the
<workload-name>-rwPostgresql service. - Set exposure to
Private(default).
Redis
- Register the
<workload-name>-masterRedis service. - Set exposure to
Private(default).
Vote
- Register the
voteservice. - Set exposure to
External.
Result
- Register the
<result>service. - Set exposure to
External.
Register the Network Policies for the Example Voting App
Postgres Database
- Create a new
Netpoland select theingressrule type. - Add the selector label name
otomi.io/app. - Add the selector label value
<postgres-workload-name>. - Select
AllowOnly. - Add the namespace
<team-name>, the selector label nameotomi.io/appand the selector label value<worker>. - Add the namespace
<team-name>, the selector label nameotomi.io/appand the selector label value<result>.
Redis
- Create a new
Netpoland select theingressrule type. - Add the selector label name
otomi.io/app. - Add the selector label value
<redis-workload-name>. - Select
AllowOnly. - Add the namespace
<team-name>, the selector label nameotomi.io/appand the selector label value<worker>. - Add the namespace
<team-name>, the selector label nameotomi.io/appand the selector label value<vote>.
Test the Voting App
- Go to the external URL of the
voteapplication. - Click on
CatsorDogs. - Now go to the external URL of the
resultapplication. - You should see the result of your vote.
Setting Up Network Policies for Otomi.io: An Egress Example
Register the Network Policy for Otomi.io
- Navigate to the
Network Policiespage in the Otomi Console and clickCreate Netpol. - Name the network policy
otomiand select theegressrule type. - Add the FQDN
otomi.ioto be accessed. - Add port number
443and protocolHTTPS.
Deploy Netshoot Pod
- Deploy a Netshoot pod in your namespace within your Kubernetes cluster.
- You can do this using kubectl command:
kubectl run -i --tty --rm netshoot --image nicolaka/netshoot -n team-labs
The Netshoot pod is a network troubleshooting tool that includes a lot of network tools like curl, dig, nslookup, ping, traceroute, etc.
Test the Egress Network Policy
- Run the following command in the Netshoot pod:
curl https://otomi.io - You should see the HTML of the Otomi.io website.
- Run the following command to see the
<h1>Build, Deploy and Run applications at scale</h1>message:curl https://otomi.io | grep -o '<h1>.*</h1>' - Type
exitto exit the Netshoot pod. - When you exit the Netshoot pod, it will be removed from the cluster.