Skip to content

Instantly share code, notes, and snippets.

@lastcoolnameleft
Last active November 15, 2022 04:26
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save lastcoolnameleft/05cd12af8da64c8c0bae766182b1889c to your computer and use it in GitHub Desktop.
CalicoCon Azure Walkthrough
  • Create AKS Cluster
  • Add cluster to Calico Cloud
    • Calico Cloud -> Add Cluster
  • Look at Flow Visualization & Default Service Graph
    • Point out various traffic
  • Add Staged Deny All (kubectl apply -f staged-deny-all.yaml)
  • Look at Flow Visualization
    • Point out various traffic
  • Add Monitoring Addon (az aks enable-addons -a monitoring -n $AKS_NAME -g $RG)
  • Look at Flow Visualization
    • Point out traffic that would be blocked from monitor addon
  • Click wand to create staged policy to allow "Ama-logs-*" -> pvt and pub
# Create cluster
RG=calico-workshop
AKS_NAME=calico-workshop
LOCATION=southcentralus
az group create -n $RG -l $LOCATION
az aks create -n $AKS_NAME -g $RG --node-count 3 --network-plugin azure
az aks get-credentials -n $AKS_NAME -g $RG
kubectl apply -f https://gist.githubusercontent.com/lastcoolnameleft/05cd12af8da64c8c0bae766182b1889c/raw/fc21944d3e8c7f48781bf63b215c900c5a90de6d/staged-global-deny-all.yaml
# Add monitoring addon. Should see egress traffic from "ama-logs-*"
az aks enable-addons -a monitoring -n $AKS_NAME -g $RG
# Cleanup
az aks disable-addons -a monitoring -n $AKS_NAME -g $RG
apiVersion: projectcalico.org/v3
kind: StagedGlobalNetworkPolicy
metadata:
name: default.deny-all-egress
spec:
tier: default
order: 1100
selector: ''
namespaceSelector: all()
serviceAccountSelector: ''
egress:
- action: Deny
source: {}
destination:
nets:
- 0.0.0.0/0
doNotTrack: false
applyOnForward: false
preDNAT: false
types:
- Egress
apiVersion: projectcalico.org/v3
kind: StagedNetworkPolicy
metadata:
name: default.ama-logs
namespace: kube-system
spec:
tier: default
selector: >-
(tier == "node" && component == "ama-logs-agent" &&
kubernetes.azure.com/managedby == "aks")
serviceAccountSelector: ''
egress:
- action: Allow
protocol: TCP
source: {}
destination:
ports:
- '10250'
- '443'
- action: Allow
protocol: UDP
source: {}
destination:
selector: >-
(k8s-app == "kube-dns" && kubernetes.io/cluster-service == "true" &&
version == "v20" && projectcalico.org/namespace == "kube-system" &&
projectcalico.org/orchestrator == "k8s" &&
projectcalico.org/serviceaccount == "coredns")
ports:
- '53'
types:
- Egress
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default.allow-external-dns-lookups
spec:
tier: default
order: 1025
selector: k8s-app == "kube-dns"
namespaceSelector: ''
serviceAccountSelector: ''
egress:
- action: Allow
source: {}
destination: {}
doNotTrack: false
applyOnForward: false
preDNAT: false
types:
- Egress
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: default.allow-tigera-intrusion-detection-egress
namespace: tigera-intrusion-detection
spec:
tier: default
order: 1050
selector: ''
serviceAccountSelector: ''
egress:
- action: Allow
source: {}
destination: {}
types:
- Egress
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment