Network Policy Implementation

This directory demonstrates how to implement default deny-all network rules in a Kubernetes cluster. This is achieved using Calico’s GlobalNetworkPolicy and the Kubernetes NetworkPolicy objects. It operates based on labels attached to namespaces.

Creating rules that allow traffic is done by adding Kubernetes NetworkPolicy objects to the namespace. These objects are portable across CNI plugins that enforce Kubernetes NetworkPolicy. Calico supports mixing Calico-specific policies with Kubernetes policy. This is not true for all CNI plugins such as Cilium. Calico-specific policies honor an order attribute for specifying precedence of policy evaluation. Lower values take precedence. Kubernetes policy does not support order, as it only supports additive allow rules. Under the hood, Calico sets Kubernetes policy to an order of 100. Thus, Calico policies must have their order set above 100.

To allow the blocked traffic in the above diagram, a NetworkPolicy such as the following would be applied.

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: tomcat-netpol
  namespace: team-a
spec:
  policyTypes:
    - Ingress
    - Egress
  podSelector:
    matchLabels:
      app: tomcat
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: ingress
        - podSelector:
            matchLabels:
              app: nginx
      ports:
        - protocol: TCP
          port: 80
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              name: team-a
        - podSelector:
            matchLabels:
              app: mysql
      ports:
        - protocol: TCP
          port: 3306

Note: this policy, unlike GlobalNetworkPolicy, is scoped within namespace and owned by team-a.

Namespace Ownership

This design assumes administrative ownership of namespaces. In most multi-tenant environments, namespaces are provisioned for teams. This allows limits, quotas, and other sensible defaults to be configured by administrators or programmatically with automation.

Alternative Designs

a. Use only Kubernetes NetworkPolicy

This approach is portable between multiple CNI Plugins. However, it requires creating a default deny-all network policy and adding it to every namespace that gets created. Should you need to modify how default-deny all works in your cluster and your cluster hosts 500 namespaces, you now have 500 locations to update the policy. Additionally, Calico’s GlobalNetworkPolicy is far more capable than Kubernetes NetworkPolicy.

b. Other CNI Plugins

Since Calico is used by the majority of our customers and recommended in our Validated Designs, Calico is used here. Should a customer desire using a different CNI plugin, similar mechanic may be available. Do note that some plugins do not allow you to mix their CRDs with Kubernetes NetworkPolicy objects.

Deploying and Testing

This section walks you through step-by-step applying of network policies in a running cluster. Each section has a diagram demonstrating how ingress and egress traffic will behave once you complete the section. There are validation steps throughout where you will make requests to ensure policy is blocked or allowed.

This section assumes you have a Kubernetes cluster running Calico 3.2+.

Environment Setup

Start by creating the resources and network paths shown in the diagram below. For now, all traffic will be allowed.

Allow All Traffic

Download calicoctl.

curl -O -L  https://github.com/projectcalico/calicoctl/releases/download/v3.5.1/calicoctl &&\
  chmod +x calicoctl &&\
  sudo mv calicoctl /usr/local/bin

Configure calicoctl.
```
export DATASTORE_TYPE=kubernetes
export KUBECONFIG=~/.kube/config
calicoctl get node
```
```
NAME
ip-10-192-192-10
ip-10-192-192-4
ip-10-192-192-8
```
This assumes Calico is installed in Kubernetes API datastore mode. If it is installed in etcd datastore mode, see https://docs.projectcalico.org/getting-started/clis/calicoctl/configure/etcd

Create the following GlobalNetworkPolicy

# deny-all.yaml

# This GlobalNetworkPolicy uses Calico's CRD
# (https://docs.projectcalico.org/v3.5/reference/calicoctl/resources/globalnetworkpolicy) to
# disable all traffic on namespace containing the label: value of netpol_deny_all: true. The only
# exception is UDP (port 53) traffic, which is allowed.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: global-deny-all
spec:
  # order controls the precedence. Calico applies the policy with the lowest value first.
  # Kubernetes NetworkPolicy do not support order. They are automatically converted to an order
  # value of 1000 by Calico. Setting this value to 2000, provides flexibility for 999 additional
  # GlobalNetworkPolicies to be added and ensures Kubernetes namespace-scoped policies always take
  # precedence.
  order: 2000

  # types describes the direction of traffic this policy impacts. In this case, Ingress and Egress.
  types:
  - Ingress
  - Egress

  # egress network rules
  egress:
  # Allow all egress traffic when the netpol_deny_all label is not present.
  - action: Allow
	destination: {}
	source:
   namespaceSelector: '!has(netpol_deny_all)'

  # Allow all egress traffic when the netpol_deny_all label has value 'disabled'.
  - action: Allow
	destination: {}
	source:
   namespaceSelector: netpol_deny_all == 'disabled'

  # Allow egress DNS traffic to any destination. This assumes DNS traffic will be over UDP and
  # never TCP.
  - action: Allow
	protocol: UDP
	source:
   namespaceSelector: netpol_deny_all == 'enabled'
	destination:
   nets:
     - 0.0.0.0/0
   ports:
     - 53

  # ingress network rules
  ingress:
  # Allow all ingress traffic when the netpol_deny_all label is not present.
  - action: Allow
	destination:
   namespaceSelector: '!has(netpol_deny_all)'
	source: {}

  # Allow all ingress traffic when the netpol_deny_all label has value 'enabled'.
  - action: Allow
	destination:
   namespaceSelector: netpol_deny_all == 'disabled'
	source: {}

Apply the GlobalNetworkPolicy
```
calicoctl apply -f deny-all.yaml
```
This applies the default deny-all policy described in the design section. It will have no impact initially as namespaces are not properly labeled.

Create namespaces ingress and team-a.

kubectl create ns ingress
kubectl create ns team-a

Create a Contour manifest

# contour.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: ingress
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: contour
  namespace: ingress
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.contour.heptio.com
  labels:
	component: ingressroute
spec:
  group: contour.heptio.com
  version: v1beta1
  scope: Namespaced
  names:
	plural: ingressroutes
	kind: IngressRoute
  additionalPrinterColumns:
	- name: FQDN
   type: string
   description: Fully qualified domain name
   JSONPath: .spec.virtualhost.fqdn
	- name: TLS Secret
   type: string
   description: Secret with TLS credentials
   JSONPath: .spec.virtualhost.tls.secretName
	- name: First route
   type: string
   description: First routes defined
   JSONPath: .spec.routes[0].match
	- name: Status
   type: string
   description: The current status of the IngressRoute
   JSONPath: .status.currentStatus
	- name: Status Description
   type: string
   description: Description of the current status
   JSONPath: .status.description
  validation:
	openAPIV3Schema:
   properties:
     spec:
       properties:
         virtualhost:
           properties:
             fqdn:
               type: string
               pattern: ^([a-zA-Z0-9]+(-[a-zA-Z0-9]+)*\.)+[a-z0-9]{2,}$
             tls:
               properties:
                 secretName:
                   type: string
                   pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ # DNS-1123 subdomain
                 minimumProtocolVersion:
                   type: string
                   enum:
                     - "1.3"
                     - "1.2"
                     - "1.1"
         strategy:
           type: string
           enum:
             - RoundRobin
             - WeightedLeastRequest
             - Random
             - RingHash
             - Maglev
         healthCheck:
           type: object
           required:
             - path
           properties:
             path:
               type: string
               pattern: ^\/.*$
             intervalSeconds:
               type: integer
             timeoutSeconds:
               type: integer
             unhealthyThresholdCount:
               type: integer
             healthyThresholdCount:
               type: integer
         routes:
           type: array
           items:
             required:
               - match
             properties:
               match:
                 type: string
                 pattern: ^\/.*$
               delegate:
                 type: object
                 required:
                   - name
                 properties:
                   name:
                     type: string
                     pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ # DNS-1123 subdomain
                   namespace:
                     type: string
                     pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ # DNS-1123 label
               services:
                 type: array
                 items:
                   type: object
                   required:
                     - name
                     - port
                   properties:
                     name:
                       type: string
                       pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ # DNS-1035 label
                     port:
                       type: integer
                     weight:
                       type: integer
                     strategy:
                       type: string
                       enum:
                         - RoundRobin
                         - WeightedLeastRequest
                         - Random
                         - RingHash
                         - Maglev
                     healthCheck:
                       type: object
                       required:
                         - path
                       properties:
                         path:
                           type: string
                           pattern: ^\/.*$
                         intervalSeconds:
                           type: integer
                         timeoutSeconds:
                           type: integer
                         unhealthyThresholdCount:
                           type: integer
                         healthyThresholdCount:
                           type: integer
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
	app: contour
  name: contour
  namespace: ingress
spec:
  selector:
	matchLabels:
   app: contour
  template:
	metadata:
   labels:
     app: contour
   annotations:
     prometheus.io/scrape: "true"
     prometheus.io/port: "8002"
     prometheus.io/path: "/stats"
     prometheus.io/format: "prometheus"
	spec:
   containers:
   - image: gcr.io/heptio-images/contour:master
     imagePullPolicy: Always
     name: contour
     command: ["contour"]
     args:
     - serve
     - --incluster
     - --envoy-external-http-port=8080
     - --envoy-external-https-port=8443
     - --envoy-service-http-port=8080
     - --envoy-service-https-port=8443
   - image: docker.io/envoyproxy/envoy-alpine:v1.9.0
     name: envoy
     ports:
     - containerPort: 8080
       name: http
       hostPort: 8080
     - containerPort: 8443
       name: https
       hostPort: 8443
     command: ["envoy"]
     args:
     - --config-path /config/contour.yaml
     - --service-cluster cluster0
     - --service-node node0
     - --log-level info
     - --v2-config-only
     readinessProbe:
       httpGet:
         path: /healthz
         port: 8002
       initialDelaySeconds: 3
       periodSeconds: 3
     volumeMounts:
     - name: contour-config
       mountPath: /config
     lifecycle:
       preStop:
         exec:
           command: ["wget", "-qO-", "http://localhost:9001/healthcheck/fail"]
   initContainers:
   - image: gcr.io/heptio-images/contour:master
     imagePullPolicy: Always
     name: envoy-initconfig
     command: ["contour"]
     args:
     - bootstrap
     # Uncomment the statsd-enable to enable statsd metrics
     #- --statsd-enable
     # Uncomment to set a custom stats emission address and port
     #- --stats-address=0.0.0.0
     #- --stats-port=8002
     - /config/contour.yaml
     volumeMounts:
     - name: contour-config
       mountPath: /config
   volumes:
   - name: contour-config
     emptyDir: {}
   dnsPolicy: ClusterFirst
   serviceAccountName: contour
   terminationGracePeriodSeconds: 30
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: contour
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: contour
subjects:
- kind: ServiceAccount
  name: contour
  namespace: ingress
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: contour
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - pods
  - secrets
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups: ["contour.heptio.com"]
  resources: ["ingressroutes"]
  verbs:
  - get
  - list
  - watch
  - put
  - post
  - patch

Deploy Contour in the ingress namespace.
```
kubectl apply -f contour.yaml
```
Contour will be deployed as a DaemonSet attaching to a host’s port 8080. Testing assumes you will be able to route directly to a node’s IP.

Create a manifest for a simple echo server

# echoserver.yaml

apiVersion: v1
kind: Service
metadata:
  name: echoserver
  namespace: team-a
spec:
  ports:
	- port: 80
   targetPort: 8080
   protocol: TCP
   name: http
  selector:
	app: echoserver

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: echoserver
  namespace: team-a
spec:
  rules:
	- http:
     paths:
       - path: /echo
         backend:
           serviceName: echoserver
           servicePort: 80

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: echoserver
  namespace: team-a
spec:
  replicas: 2
  selector:
	matchLabels:
   app: echoserver
  template:
	metadata:
   labels:
     app: echoserver
	spec:
   containers:
     - name: echoserver
       image: gcr.io/kubernetes-e2e-test-images/echoserver:2.1
       ports:
         - containerPort: 8080

Deploy the manifest in the team-a namespace.
```
kubectl apply -f echoserver.yaml
```
This deploys a Deployment, Service, and Ingress to satisfy the diagram above.

Create a manifest for lorem-ipsum

# lorem-ipsum.yaml

apiVersion: v1
kind: Service
metadata:
  name: lorem-ipsum
  namespace: team-a
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
      name: http
  selector:
    app: lorem-ipsum

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: lorem-ipsum
  namespace: team-a
spec:
  rules:
    - http:
        paths:
          - path: /
            backend:
              serviceName: lorem-ipsum
              servicePort: 80

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: lorem-ipsum
  namespace: team-a
spec:
  replicas: 2
  selector:
    matchLabels:
      app: lorem-ipsum
  template:
    metadata:
      labels:
        app: lorem-ipsum
    spec:
      containers:
        - name: lorem-ipsum
          image: ksdn117/lorem-ipsum:latest
          ports:
            - containerPort: 80

Deploy the manifest in the team-a namespace.
```
kubectl apply -f lorem-ipsum.yaml
```
This deploys a Deployment, Service, and Ingress to satisfy the diagram above.

Validate ingress by requesting a worker node’s public IP at port 8080 on path /echo to ensure traffic is routable.

curl 34.219.198.115:8080/echo

Hostname: echoserver-578989d5f6-sh5f4

Pod Information:
        -no pod information available-

Server values:
        server_version=nginx: 1.12.2 - lua: 10010

Request Information:
        client_address=192.168.2.3
        method=GET
        real path=/echo
        query=
        request_version=1.1
        request_scheme=http
        request_uri=http://34.219.198.115:8080/echo

Request Headers:
        accept=*/*
        content-length=0
        host=34.219.198.115:8080
        user-agent=curl/7.54.0
        x-envoy-expected-rq-timeout-ms=15000
        x-envoy-external-address=174.16.148.64
        x-forwarded-for=174.16.148.64
        x-forwarded-proto=http
        x-request-id=dc54cb4c-1586-42ca-8ebd-5a831a4e3b6f
        x-request-start=t=1550689433.206

Request Body:
        -no body in request-

Validate ingress by requesting a worker node’s public IP at port 8080 on path / to ensure traffic is routable.

Attach to the lorem-ipsum pod.

LOREM_POD=$(kubectl -n team-a get pod -l app=lorem-ipsum -o jsonpath='{.items[0].metadata.name}')

kubectl exec -n team-a -it $LOREM_POD /bin/sh

Add curl to the lorem-ipsum pod
```
# apt update && apt install -y curl
```

Validate pod-to-pod egress by curling echoserver.

# curl echoserver

Hostname: echoserver-578989d5f6-sh5f4

Pod Information:
-no pod information available-

Enforce Network Policy

Next, apply labels to the namespace so that Calico enforces the deny-all. This would typically be handled by an administrator or automation that ensures proper labels are attached to namespaces when teams are on boarded. After labels are added, the network should behave as diagrammed below.

Network Policy Denied

Add netpol_deny_all labels to namespaces.

kubectl label ns ingress netpol_deny_all=disabled &&\
  kubectl label ns team-a netpol_deny_all=enabled

Add name labels to namespaces.

kubectl label ns ingress name=ingress &&\
  kubectl label ns team-a name=team-a

Validate labels are as expected.

kubectl get ns --show-labels

NAME          STATUS   AGE     LABELS
default       Active   10m     <none>
ingress       Active   3m53s   name=ingress,netpol_deny_all=disabled
kube-public   Active   10m     <none>
kube-system   Active   10m     <none>
team-a        Active   3m53s   name=team-a,netpol_deny_all=enabled

Validate ingress is blocked by requesting a worker node’s public IP at port 8080 on paths / and /echo.

curl -v 34.219.198.115:8080/echo

*   Trying 34.219.198.115...
* TCP_NODELAY set
* Connected to 34.219.198.115 (34.219.198.115) port 8080 (#0)
> GET /echo HTTP/1.1
> Host: 34.219.198.115:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 503 Service Unavailable
< content-length: 57
< content-type: text/plain
< date: Wed, 20 Feb 2019 20:00:47 GMT
< server: envoy
<
* Connection #0 to host 34.219.198.115 left intact

Note: the 503 is from envoy, representing the upstream server (echoserver) was not reachable.

Attach to the echoserver pod.

ECHO_POD=$(kubectl -n team-a get pod -l app=echoserver -o jsonpath='{.items[0].metadata.name}')

kubectl exec -n team-a -it $ECHO_POD /bin/sh

Ping google.com; verify it cannot be reached.

# ping -w 1 google.com

PING google.com (216.58.193.78): 56 data bytes

--- google.com ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

You can do the same to lorem-ipsum to demonstrate that a pod in the cluster is not reachable.

Resolve DNS of google.com; verify it resolves.

# nslookup google.com

nslookup: can't resolve '(null)': Name does not resolve

Name:      google.com
Address 1: 172.217.6.46 sfo03s08-in-f14.1e100.net
Address 2: 2607:f8b0:400a:800::200e sea15s07-in-x0e.1e100.net

DNS (UDP:53) is allowed in all namespaces.

Allow Restricted Access

The current state of network rules for team-a is what every team will experience going forward when a namespace is created for them. In order for team-a to allow specific traffic, they must add NetworkPolicy. The diagram below demonstrates the desired network access.

Network Policy Restricted

Create a network policy manifest

# lorem-netpol.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: lorem-ipsum-netpol
  namespace: team-a
spec:
  policyTypes:
    - Ingress
    - Egress
  podSelector:
    matchLabels:
      app: lorem-ipsum

  # allow ingress traffic from the contour/envoy pod
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: ingress
        - podSelector:
            matchLabels:
              app: contour
      ports:
        - protocol: TCP
          port: 80

  # allow egress traffic to the echoserver pod in the team-a namespace
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              name: team-a
        - podSelector:
            matchLabels:
              app: echoserver
      ports:
        - port: 8080
          protocol: TCP

Apply the NetworkPolicy containing ingress and egress rules for lorem-ipsum pods.
```
kubectl apply -f lorem-netpol.yaml
```
This applies rules to allow ingress traffic originating from Contour pods to reach the lorem-ipsum pods. It also applies rules to allow egress from the lorem-ipsum pod to the echoserver pod. Note that the ingress rules have yet to be added to the echoserver pod. Thus when the lorem-ipsum pod attempts to connect to it, echoserver will not allow the traffic in.

Validation

Verify ingress is allowed to lorem-ipsum through Contour.

Verify ingress is denied to echoserver through Contour.

curl -v 34.219.198.115:8080/echo

*   Trying 34.219.198.115...
* TCP_NODELAY set
* Connected to 34.219.198.115 (34.219.198.115) port 8080 (#0)
> GET /echo HTTP/1.1
> Host: 34.219.198.115:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 503 Service Unavailable
< content-length: 57
< content-type: text/plain
< date: Wed, 20 Feb 2019 21:06:54 GMT
< server: envoy
<
* Connection #0 to host 34.219.198.115 left intact

Create an echoserver network policy

# echo-netpol.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: echoserver-netpol
  namespace: team-a
spec:
  policyTypes:
	- Ingress
  podSelector:
	matchLabels:
   app: echoserver

  # allow ingress traffic from the contour/envoy pod
  ingress:
	- from:
   - namespaceSelector:
       matchLabels:
         namespace: echoserver
   - podSelector: {}

Apply the echoserver ingress NetworkPolicy to allow ingress from all pods in the team-a namespace.
```
kubectl apply -f echo-netpol.yaml
```
Unlike the lorem-ipsum policy, this policy allows all ingress traffic originating from pods that belong to the team-a namespace. Note that with this configuration, lorem-ipsum will be able to communicate to echoserver but echoserver will not be able to communicate with lorem-ipsum.

Attach to the lorem-ipsum pod.

kubectl exec -n team-a -it $LOREM_POD /bin/sh

Verify egress is allowed to the echoserver pod.

# curl echoserver

Hostname: echoserver-578989d5f6-sh5f4

Pod Information:
-no pod information available-

Attach to the echoserver pod.

kubectl exec -n team-a -it $ECHO_POD /bin/sh

Verify egress is denied from echoserver to lorem-ipsum.

# wget -T 1 lorem-ipsum

Connecting to lorem-ipsum (10.109.11.137:80)
wget: download timed out