Calico and simple policy

16
Anirban Sen Chowdhary

Transcript of Calico and simple policy

Page 1: Calico and simple policy

Anirban Sen Chowdhary

Page 2: Calico and simple policy

“Project Calico is the world's simplest, most scalable, open networking solution for OpenStack”. 

Calico, a pure layer3 approach to Virtual Networking for highly scalable & flexible Data centers. It is a open-source technology, that  implements  large, standards-based cloud data center infrastructures 

Calico supports rich and flexible network policy that enforces on every node in a cluster, to provide tenant isolation, security groups, and external reachability constraints.

Page 3: Calico and simple policy

There is security layer into Calico that enables developers and operations staff to easily define with fine granularity which connections are allowed, and which are not. These rules implement and extend the Kubernetes Network Policy API.

Page 4: Calico and simple policy

There are basically 3 policy demo we can configure:* Simple Policy Demo * Stars Policy Demo * Advanced Policy Demo

Page 5: Calico and simple policy

We will discuss on the overview of Simple Policy Demo.Lastime, we discussed Star Policy here: https://www.slideshare.net/anir37/calico-and-stars-policy

Page 6: Calico and simple policy
Page 7: Calico and simple policy

It includes demo try out Kubernetes NetworkPolicy with Calico, as well as a client service for all running on Kubernetes.It requires a Kubernetes cluster configured with Calico networking, and expects that you have kubectl configured to interact with the cluster.

Page 8: Calico and simple policy

We need to install Kubernetes in the system which includes Network Policy API.We need to get the following thing:Calico

and then need to get into star-policy directory of Calico

Page 9: Calico and simple policy

1) We need to create some nginx pods in the policy-demo Namespace, and expose them through a Service.:

2) Also we need to ensure the nginx service is accessible:

Page 10: Calico and simple policy

Enable isolation:

Now this is the important part…. let’s turn on isolation in our policy-demo Namespace which will then prevent connections to pods in this Namespace.We will now run the command that creates a NetworkPolicy which implements a default deny behavior for all pods in the policy-demo Namespace.

Page 11: Calico and simple policy

Allow Access using a NetworkPolicy :

Now, let’s enable access to the nginx Service using a NetworkPolicy. This will allow incoming connections from our access Pod, but not from anywhere else.We need to now create a network policy access-nginx with the following contents:

Page 12: Calico and simple policy

That’s it! We should now be able to access the Service from the access Pod.

Page 13: Calico and simple policy

We can remove the policy using following:

As you can see, this is just a simple example of the Kubernetes NetworkPolicy API and how Calico can secure your Kubernetes cluster.

Page 14: Calico and simple policy

In next slides, we will discuss the overview on other policy demo.

Lets share our knowledge and effort on community so that the Calico community grows.

Page 15: Calico and simple policy

For more information visit

https://www.projectcalico.org/

https://docs.projectcalico.org/v2.6/introduction/

https://blog.tigera.io/tagged/calico

Page 16: Calico and simple policy