Configuring network policies
In this tutorial we are going to deploy a multi tier web application, called
guestbook, register the 3 K8s services in Otomi and configure public access to the
frontend service. Next, we will turn on the
Network policies option for the team.
- Install the Guestbook application resources:
kubectl apply -f https://raw.githubusercontent.com/redkubes/workshops/main/04-netpols/guestbook.yaml -n team-$TEAM-NAME
- Get the names of the created ClusterIP services:
kubectl get svc -n team-<$TEAM-NAME>
You will see 3 services:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
frontend ClusterIP 10.0.183.235 <none> 80/TCP 6m44s
redis-follower ClusterIP 10.0.135.61 <none> 6379/TCP 6m44s
redis-leader ClusterIP 10.0.82.226 <none> 6379/TCP 6m44s
Go to Otomi Console. Make sure you have selected your team in the top bar en and then click the
Servicesitem under your team in the side menu.
We will now first add the created frontend service to Otomi. Click
Fill in the name
Ingress. Leave all other settings under exposure default.
Leave all other settings default and click
After the changes have been deployed (this will take a couple of minutes), you will see that the service we just created has a host name. Click on the host name to get access to the
guestbook frontend. submit a few messages on the application.
- Register the
redis-leaderservices via the otomi-console. Make sure to provide the correct port (6379) and leave all other settings default (so no exposure) and
submit. You don't need to
Deploy Changesafter every submit.
When you create a service in Otomi with ingress
Cluster, the K8s service will be added to the service-mesh in Otomi. When you create services in Otomi, the Istio Gateway is automatically configured and Istio virtual services are also automatically created.
Notice that the guestbook frontend still works!
In Otomi Console go to your team and then click the
Under Network policy, enable
Network policies. Click
Now go to the Guestbook application and notice that your messages have disappeared and you can't submit new messages. This is because traffic between the
frontend and the
redis-follower services is not permitted anymore.
Let's fix this
In the otomi-console, click on the
Network policies, select
Allow selectedand click
add item. Add the following 2 items and submit:
|Team name||Service Name|
Before deploying changes, go to the
redis-follower service and do the same, but in this case only allow the frontend service:
|Team name||Service Name|
Notice that the Guestbook app works again.