old-vK8s-Network-Policy

Objective

This document provides instructions on how to configure and apply a network policy for traffic to/from virtual K8s (vK8s) Pods using policy rules and policy sets. To know more about the network policy, see Volterra Network Policy.

Using the instructions provided in this document, you can create network policies with policy rules controlling the traffic to secure the applications in your namespace.


Prerequisites


Configuration

The following image shows configuration workflow for policy rule, policy, and policy set:

image5
Figure: Creating a Network Policy

Configuration Sequence

Configuring network policy requires you to perform the following sequence of actions:

Phase Description
Create Network Policy Rule Create a policy rule to use in the policy.
Create Network Policy Create a policy with the policy rule.
Create Network Policy Set Create a policy set with the policy created.

Create Network Policy Rule

Step 1: Select or create the desired namespace. Select Security from configuration menu and vK8s Network Policy from options pane.

Note: You can create a network policy in the shared or application namespace.

image6
Figure: Navigating to a Namespace

image4
Figure: Navigate to Network Policies

Step 2: Select Network Policy Rules and Click Add network policy rule.

Enter the policy rule configuration parameters as per the following guidelines:

  • Name: Name of the network policy rule.
  • Remote endpoint: The remote endpoint can be of the following types:

    • Can be a prefix as defined in the local endpoint
    • Can be a prefix selector as defined in the local endpoint
    • Can be a prefix set (a set of prefixes, i.e. white list or blacklist)
  • Action: The supported actions are 'allow’ and ‘deny’.
  • Protocol: Protocols such as TCP, UDP, etc.

image10
Figure: Creating a Network Policy Rule


Create Network Policy

Step 1: Select Network Policies under vK8s Network Policy and click Add network policy.

Enter the policy configuration parameters as per the following guidelines:

  • Name: Name of the network policy
  • Local endpoint: The local endpoint of the network policy can be one of the following types:

    • Prefix: Prefix is ip prefix written in from <ip address>/<prefix length>. Example prefix is 10.1.2.3/32 or 10.1.2.0/24
    • Prefix_selector: Prefix selector is a label expression. If the labels of an IP address match the label expression, that IP is considered as a local endpoint.
  • Ingress rules: Relative to the local endpoint, these rules apply to all sessions and traffic received by the local endpoint(s) from remote endpoint(s).

Note: If no rule is configured for ingress, the default action is to drop the ingress traffic.

  • Egress rules: Relative to the local endpoint, these rules apply to all the sessions and traffic sent by local endpoint to remote endpoint(s).

image2
Figure: Creating a Network Policy


Create Network Policy Set

Step 1: Select Network Policy set under vK8s Network Policy and click Add network policy set.

Enter the policy set configuration parameters as per the following guidelines:

  • Name: Name of the network policy set
  • Policies: Select network policy created above

image3
Figure: Creating a Network Policy Set


Example: Allow Only Authorized DNS Servers

This example creates a network policy to block all outbound DNS queries in namespace "hello-webapp" except for the selected authoritative servers.

Step 1: Create the following two network policy rules:

  • Policy rule ‘allow-google-dns’ allowing all DNS queries UDP/53 to 8.8.8.8/32
  • Policy rule ‘block-all-dns’ denying all DNS queries UDP/53 to 0.0.0.0/0.

image9
Figure: Network Policy to allow-google-dns

image7
Figure: Network Policy to block-all-dns

Step 2: Create network policy and add policy rules created in Step 1 to ensure explicit deny first followed by allowing all traffic.

image8
Figure: Network Policy to block-outbound-dns

Step 3: Create a network policy set by selecting the policy created in Step 2.

image1
Figure: Network Policy to np-set-block-outbound-dns-except-for-google


Concepts


API References