Skip to content

Network Policy Demo

Official documentation: About network policy

I presented this demo at the Next Generation Datacenter webinar, here the recording (in German)

Environment

demo overview

Deploy Environment

1
oc apply -k https://github.com/openshift-examples/network-policy-demo.git/deployment/

Optional: Deploy OpenShift Console samples

      OpenShift Console

1
oc apply -f https://examples.openshift.pub/networking/network-policy/network-policy-demo/console-samples.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
kind: ConsoleYAMLSample
apiVersion: console.openshift.io/v1
metadata:
  name: netpol-demo-simpon-default-deny
spec:
  targetResource:
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
  description: |
      Default deny Network Policy
  title: Simpon Demo - Default deny
  yaml: |
    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
      name: default-deny
    spec:
      podSelector: {}
      policyTypes:
      - Ingress
---
kind: ConsoleYAMLSample
apiVersion: console.openshift.io/v1
metadata:
  name: netpol-demo-simpon-allow-from-openshift-ingress
spec:
  targetResource:
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
  description: |
      Allow from ingress
  title: Simpon Demo - Allow from ingress
  yaml: |
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-from-openshift-ingress
    spec:
      ingress:
      - from:
        - namespaceSelector:
            matchLabels:
              network.openshift.io/policy-group: ingress
      podSelector: {}
      policyTypes:
      - Ingress
---
kind: ConsoleYAMLSample
apiVersion: console.openshift.io/v1
metadata:
  name: netpol-demo-simpon-allow-same-namespace
spec:
  targetResource:
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
  description: |
      Allow same namespace
  title: Simpon Demo - Allow same namespace
  yaml: |
    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
      name: allow-same-namespace
    spec:
      podSelector: {}
      ingress:
      - from:
        - podSelector: {}
      policyTypes:
      - Ingress
---
kind: ConsoleYAMLSample
apiVersion: console.openshift.io/v1
metadata:
  name: netpol-demo-simpon-allow-from-burns
spec:
  targetResource:
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
  description: |
      Allow same namespace
  title: Simpon Demo - Allow from Burns
  yaml: |
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-from-burns
    spec:
      podSelector: {}
      ingress:
      - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: burns
      policyTypes:
      - Ingress

Start Monitor

Option 1) Local tmux script

1
2
3
4
5
6
7
8
curl -L -O https://examples.openshift.pub/networking/network-policy/network-policy-demo/run-tmux.sh

# Get OpenShift Wildcard domain:
WILDCARD_DOMAIN=$( oc get ingresscontroller/default -n openshift-ingress-operator -o jsonpath="{.status.domain}" )


# Start tmux
sh run-tmux.sh $WILDCARD_DOMAIN

      tmux

Option 2) via Pod

1
oc apply -k https://github.com/openshift-examples/network-policy-demo.git/deployment/monitor/

Watch logs:

1
oc logs --tail=1 -f deployment/monitor -n network-policy-demo-monitor

Step 1) Default deny

1
oc apply -f https://examples.openshift.pub/networking/network-policy/network-policy-demo/01_default-deny-simpson.yaml

1
2
3
4
5
6
7
8
9
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny
  namespace: simpson
spec:
  podSelector: {}
  policyTypes:
  - Ingress

      01_default-deny-simpson.png

Step 2) Allow ingress

1
oc apply -f https://examples.openshift.pub/networking/network-policy/network-policy-demo/02_allow-from-openshift-ingress-simpson.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
  namespace: simpson
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress
  podSelector: {}
  policyTypes:
  - Ingress

      02_allow-from-openshift-ingress-simpson.png

Step 3) Allow ingress

1
oc apply -f https://examples.openshift.pub/networking/network-policy/network-policy-demo/03_allow-same-namespace-simpson.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-same-namespace
  namespace: simpson
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector: {}
  policyTypes:
  - Ingress

      03_allow-same-namespace-simpson.png

Step 4) Allow from Bouviers to Marge Simpson

1
oc apply -f https://examples.openshift.pub/networking/network-policy/network-policy-demo/04_allow-from-bouviers-to-marge-simpson.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-bouviers-to-marge
  namespace: simpson
spec:
  podSelector:
    matchLabels:
      deployment: marge
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: bouvier
  policyTypes:
  - Ingress

      04_allow-from-bouviers-to-marge-simpson.png

Step 5) Allow from Burns to Simpson

1
oc apply -f https://examples.openshift.pub/networking/network-policy/network-policy-demo/05_allow-from-burns-simpson.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-burns
  namespace: simpson
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: burns
  policyTypes:
  - Ingress

      05_allow-from-burns-simpson.png

Last update: October 21, 2022