Last active
April 12, 2023 20:23
-
-
Save vfarcic/f67624c05df3d949c8d9a6976adb4631 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: https://gist.github.com/vfarcic/f67624c05df3d949c8d9a6976adb4631 | |
| ############################################################# | |
| # What Are Kubernetes Network Policies And How To Use Them? # | |
| # https://youtu.be/18FEA5xXBGY # | |
| ############################################################# | |
| # Additional Info: | |
| # - Kubernetes Network Policies: https://kubernetes.io/docs/concepts/services-networking/network-policies | |
| ######### | |
| # Setup # | |
| ######### | |
| git clone https://github.com/vfarcic/network-policies-demo | |
| cd network-policies-demo | |
| # Create a Kubernetes cluster with an Ingress controller | |
| # Any cluster should do, including local Kubernetes clusters | |
| # like Docker Desktop, Minikube, KinD, or Rancher Desktop. | |
| kubectl get ingressclasses --output name | |
| # Replace `[...]` with the short name of the Ingress class | |
| # (e.g., `treafik`) | |
| export INGRESS_CLASS=[...] | |
| yq --inplace ".spec.ingressClassName = \"$INGRESS_CLASS\"" \ | |
| kustomize/base/ingress.yaml | |
| # Replace `127.0.0.1` with the external IP of the Ingress service | |
| export INGRESS_HOST=127.0.0.1 | |
| yq --inplace \ | |
| ".spec.rules[0].host = \"silly-demo.$INGRESS_HOST.nip.io\"" \ | |
| kustomize/base/ingress.yaml | |
| kubectl apply --filename namespaces.yaml | |
| ######################################### | |
| # Applications Without Network Policies # | |
| ######################################### | |
| kubectl --namespace production apply --kustomize kustomize/base | |
| kubectl --namespace staging run other-app \ | |
| --image alpine --restart Never --rm --stdin --tty \ | |
| -- sh | |
| apk add -U curl | |
| curl "http://silly-demo.production:8080" | |
| exit | |
| ######################################### | |
| # Kubernetes Network Policies In Action # | |
| ######################################### | |
| kubectl explain networkpolicy --recursive | |
| cat np-ingress.yaml | |
| kubectl --namespace production apply --filename np-ingress.yaml | |
| kubectl --namespace production describe networkpolicy silly-demo | |
| kubectl --namespace staging run other-app \ | |
| --image alpine --restart Never --rm --stdin --tty \ | |
| -- sh | |
| apk add -U curl | |
| curl "http://silly-demo.production:8080" | |
| exit | |
| kubectl --namespace production run other-app \ | |
| --image alpine --restart Never --rm --stdin --tty \ | |
| -- sh | |
| apk add -U curl | |
| curl "http://silly-demo:8080" | |
| exit | |
| curl "http://silly-demo.$INGRESS_HOST.nip.io" | |
| cat np-ingress2.yaml | |
| # You might need to rewrite that manifest if Ingress Service is | |
| # in a different Namespace | |
| kubectl --namespace production apply --filename np-ingress2.yaml | |
| curl "http://silly-demo.$INGRESS_HOST.nip.io" | |
| ########### | |
| # Destroy # | |
| ########### | |
| # Delete or reset the cluster |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment