Create Kubernetes Layer-7 Network Policies using Cilium CNI

Connecting to the CloudAcademy Web based K8s IDE

In the AWS Management Console search bar, enter EC2, and click the EC2 result under Service. In the left-hand menu, click on Instances, select the k8s.cluster.cloudacademy.platform.instance EC2 instance, and locate and copy the IPv4 Public IP address.

The web-based CloudAcademy IDE has been configured to listen for inbound connections on port 3000 using HTTP. Using your browser, navigate to the IDE hosted on the k8s.cluster.cloudacademy.platform.instance EC2 instance using the public IP address you just copied:

http://PUBLIC_IP_IDE_CLOUDACADEMY_PLATFORM_INSTANCE:3000

Install Cilium CNI

Within the Files Explorer pane right-click on the project/code/cillium folder and then select the Open in Terminal option to launch the integrated terminal.

Use the kubectl command to install the Cilium Kubernetes CNI plugin into the local Kubernetes cluster. Within the terminal enter the following command.

kubectl apply -f install.1.6.1.yaml

Use both watch and kubectl to view the Cilium pods starting up. Within the terminal enter the following commands.

watch -n2 kubectl -n kube-system get pods

Once all Cilium Pods have reached the running status, exit the previous command by entering the key sequence CTRL+C.

Deploy API Pods

Within the Files pane, open the lab-code/deploy-api.yaml file within the editor. Take some time to review the Kubernetes resources that are going to be provisoned within the cluster.

Ensure that you are in the lab-code directory. Within the terminal run the following command

cd /home/project/code/StarWars/lab-code

You will now create all of the Star Wars API resources declared within the deploy-api.yaml file. Within the terminal run the following commands

kubectl apply -f deploy-api.yaml

Confirm that all of the pods have launched successfully. Within the terminal run the following command

kubectl get pods

Confirm that the service has launched successfully. Within the terminal run the following commands

kubectl get services

Test API Before Layer-7 Network Policy is Deployed

Retrieve the DeathStar Service VIP assigned to the API. Within the terminal run the following command

DEATHSTAR_VIP=`kubectl get service/deathstar -o jsonpath='{.spec.clusterIP}'`
echo $DEATHSTAR_VIP

Perform a curl request that originates from tiefighter pod and is sent to the /v1 API service endpoint. This should display all of the available API endpoints. Within the terminal run the following commands

kubectl exec -it tiefighter -- curl -is -XGET http://$DEATHSTAR_VIP/v1

Now perform a curl request that originates from tiefighter pod and is sent to the /v1/request-landing API service endpoint. Within the terminal run the following commands. Notice the response which indicates success - which is expected.

kubectl exec -it tiefighter -- curl -is -XPOST http://$DEATHSTAR_VIP/v1/request-landing

Now perform a curl request that originates from xwing pod and is sent to the same /v1/request-landing API service endpoint. Within the terminal run the following commands. Notice the response which indicates success - which is NOT expected.

kubectl exec -it xwing -- curl -is -XPOST http://$DEATHSTAR_VIP/v1/request-landing

Secure API with Layer-7 Network Policy

Within the Files pane, open the lab-code/l7-networkpolicy.yaml file within the editor. Take some time to review the Layer-7 rules defined within the Network Policy

Ensure that you still in the lab-code directory. Within the terminal run the following commands.

cd /home/project/code/StarWars/lab-code

You will now create all of the Star Wars API resources declared within the deploy-api.yaml file. Within the terminal run the following commands.

kubectl apply -f l7-networkpolicy.yaml

Confirm that the Cilium Network Policy has been deployed successfully. Within the terminal run the following commands.

kubectl describe cnp

Test API After Layer-7 Network Policy is Deployed

Retrieve the DeathStar Service VIP assigned to the API. Within the terminal run the following command.

DEATHSTAR_VIP=`kubectl get service/deathstar -o jsonpath='{.spec.clusterIP}'`
echo $DEATHSTAR_VIP

Now perform a curl request that originates from tiefighter pod and is sent to the /v1/request-landing API service endpoint. Within the terminal run the following commands. Notice the response which indicates success - which is expected.

kubectl exec -it tiefighter -- curl -i --connect-timeout 10 -XPOST http://$DEATHSTAR_VIP/v1/request-landing

Now perform a curl request that originates from xwing pod and is sent to the same /v1/request-landing API service endpoint. Within the terminal run the following commands. otice now that no response is given - this is based on the previously deployed network policy now blocking this type of traffic - which is what we want.

kubectl exec -it xwing -- curl -i --connect-timeout 10 -XPOST http://$DEATHSTAR_VIP/v1/request-landing

PreviousCreate Kubernetes Nginx Ingress Controller for External API TrafficNextCloud Guru

Last updated