Automated-gke-cilium-networkpolicy-demo - Quickly provision and tear down a GKE cluster with Cilium enabled for working with Network Policy.

Automated GKE Network Policy Demo

Before running the automation, make sure you have the correct variables in env-automation/group_vars/all.yaml. There are explanations in the all.yaml file and explanations regarding the GKE cluster for some variables in the env-automation/README.md

Prerequisites

  • Install ansible
  • Install kubernetes module: ansible-galaxy collection install kubernetes.core
  • Install helm
  • Install kubectl
  • Have a GKE Project
  • Modify the env-automation/group_vars/all.yaml file.

Spin up GKE Cluster

This will spin up a GKE cluster with Cilium installed on the nodes.

ansible-playbook spin-up-env.yaml

Tear down GKE Clusters

This will tear down the cluster.

ansible-playbook tear-down-env.yaml

Network Policy Demo

Create two nginx pods, n1 and n2.

kubectl run n1 --image=nginx

kubectl run n2 --image=nginx

Verify that n1 can connect to n2

kubectl exec -it n1 -- curl --connect-timeout 3 $(kubectl get pod n2 -ojsonpath="{.status.podIP}") 

output

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

Create a deny all network policy

kubectl apply -f -<<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  policyTypes: ["Ingress"]
  podSelector: {}
EOF

Verify that the network policy worked and that n1 cannot connect to n2

kubectl exec -it n1 -- curl --connect-timeout 3 $(kubectl get pod n2 -ojsonpath="{.status.podIP}") 

output

curl: (28) Connection timed out after 3001 milliseconds
command terminated with exit code 28

Create a Network Policy to allow n1 to talk to n2

kubectl apply -f -<<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: n2-policy
spec:
  policyTypes: ["Ingress"]
  podSelector:
    matchLabels:
      run: n2
  ingress:
    - from:
        - podSelector:
            matchLabels:
              run: n1
EOF

Verify that the network policy n2-policy worked and that n1 can connect to n2

kubectl exec -it n1 -- curl --connect-timeout 3 $(kubectl get pod n2 -ojsonpath="{.status.podIP}") 

output

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

Cleanup Network Policy Demo

kubectl delete pod n1 --force --grace-period=0

kubectl delete pod n2 --force --grace-period=0

kubectl delete netpol --all
Owner
Similar Resources

cluster-api-state-metrics (CASM) is a service that listens to the Kubernetes API server and generates metrics about the state of custom resource objects related of Kubernetes Cluster API.

Overview cluster-api-state-metrics (CASM) is a service that listens to the Kubernetes API server and generates metrics about the state of custom resou

Oct 27, 2022

False-sharing-demo - Demo for performance effects of CPU cache false-sharing

Example of CPU cache false-sharing in Go. A simple example where 2 integer varia

Aug 28, 2022

Litestream-read-replica-demo - A demo application for running live read replication on fly.io with Litestream

Litestream Read Replica Demo A demo application for running live read replicatio

Oct 18, 2022

kubetnl tunnels TCP connections from within a Kubernetes cluster to a cluster-external endpoint, e.g. to your local machine. (the perfect complement to kubectl port-forward)

kubetnl kubetnl (kube tunnel) is a command line utility to tunnel TCP connections from within a Kubernetes to a cluster-external endpoint, e.g. to you

Dec 16, 2022

A pod scaler golang app that can scale replicas either inside of cluster or out of the cluster

pod-scaler A simple pod scaler golang application that can scale replicas via manipulating the deployment Technologies The project has been created us

Oct 24, 2021

Influxdb-cluster - InfluxDB Cluster for replacing InfluxDB Enterprise

InfluxDB ATTENTION: Around January 11th, 2019, master on this repository will be

Dec 26, 2022

A Terraform module to manage cluster authentication (aws-auth) for an Elastic Kubernetes (EKS) cluster on AWS.

Archive Notice The terraform-aws-modules/eks/aws v.18.20.0 release has brought back support aws-auth configmap! For this reason, I highly encourage us

Dec 4, 2022

Monitor your Website and APIs from your Computer. Get Notified through Slack, E-mail when your server is down or response time is more than expected.

Monitor your Website and APIs from your Computer. Get Notified through Slack, E-mail when your server is down or response time is more than expected.

StatusOK Monitor your Website and APIs from your computer.Get notified through Slack or E-mail when your server is down or response time is more than

Dec 27, 2022

An operator for managing ephemeral clusters in GKE

Test Cluster Operator for GKE This operator provides an API-driven cluster provisioning for integration and performance testing of software that integ

Oct 22, 2022
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

Nov 17, 2022
A template repository to quickly scaffold a Kubewarden policy written with Go language

go-policy-template This is a template repository that can be used to to quickly scaffold a Kubewarden policy written with Go language. Don't forget to

Sep 7, 2022
Crossplane provider to provision and manage Kubernetes objects on (remote) Kubernetes clusters.

provider-kubernetes provider-kubernetes is a Crossplane Provider that enables deployment and management of arbitrary Kubernetes objects on clusters ty

Jan 3, 2023
Local Storage is one of HwameiStor components. It will provision the local LVM volume.
Local Storage is one of HwameiStor components. It will provision the local LVM volume.

Local Storage Module English | Simplified_Chinese Introduction Local Storage is one of modules of HwameiStor which is a cloud native local storage sys

Aug 6, 2022
Automatically power off system when network interface is down

passer A tiny tool can automatically power off system when network interface is

Apr 23, 2022
Meshery Adapter for Cilium Service Mesh
Meshery Adapter for Cilium Service Mesh

Meshery Adapter for Cilium Service Mesh Cilium Service Mesh Cilium is open sourc

Dec 1, 2022
Edge Orchestration project is to implement distributed computing between Docker Container enabled devices.
Edge Orchestration project is to implement distributed computing between Docker Container enabled devices.

Edge Orchestration Introduction The main purpose of Edge Orchestration project is to implement distributed computing between Docker Container enabled

Dec 17, 2021
Quickly connect to your Kubernetes Cluster with Tailscale

tsk tsk is a quick and magical way to connect your Kubernetes cluster to your Tailscale Tailnet. Installation tsk requires you have Pulumi installed.

Dec 17, 2022
network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of kubernetes.
network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of kubernetes.

Network Node Manager network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of ku

Dec 18, 2022
K8s-network-config-operator - Kubernetes network config operator to push network config to switches

Kubernetes Network operator Will add more to the readme later :D Operations The

May 16, 2022