Create Kubernetes Layer-7 Network Policies using Cilium CNI
Last updated
Last updated
In the AWS Management Console search bar, enter EC2, and click the EC2 result under Service. In the left-hand menu, click on Instances, select the k8s.cluster.cloudacademy.platform.instance EC2 instance, and locate and copy the IPv4 Public IP address.
The web-based CloudAcademy IDE has been configured to listen for inbound connections on port 3000 using HTTP. Using your browser, navigate to the IDE hosted on the k8s.cluster.cloudacademy.platform.instance EC2 instance using the public IP address you just copied:
Within the Files Explorer pane right-click on the project/code/cillium folder and then select the Open in Terminal option to launch the integrated terminal.
Use the kubectl command to install the Cilium Kubernetes CNI plugin into the local Kubernetes cluster. Within the terminal enter the following command.
Use both watch and kubectl to view the Cilium pods starting up. Within the terminal enter the following commands.
Once all Cilium Pods have reached the running status, exit the previous command by entering the key sequence CTRL+C.
Within the Files pane, open the lab-code/deploy-api.yaml file within the editor. Take some time to review the Kubernetes resources that are going to be provisoned within the cluster.
Ensure that you are in the lab-code directory. Within the terminal run the following command
You will now create all of the Star Wars API resources declared within the deploy-api.yaml file. Within the terminal run the following commands
Confirm that all of the pods have launched successfully. Within the terminal run the following command
Confirm that the service has launched successfully. Within the terminal run the following commands
Retrieve the DeathStar Service VIP assigned to the API. Within the terminal run the following command
Perform a curl request that originates from tiefighter pod and is sent to the /v1 API service endpoint. This should display all of the available API endpoints. Within the terminal run the following commands
Now perform a curl request that originates from tiefighter pod and is sent to the /v1/request-landing API service endpoint. Within the terminal run the following commands. Notice the response which indicates success - which is expected.
Now perform a curl request that originates from xwing pod and is sent to the same /v1/request-landing API service endpoint. Within the terminal run the following commands. Notice the response which indicates success - which is NOT expected.
Within the Files pane, open the lab-code/l7-networkpolicy.yaml file within the editor. Take some time to review the Layer-7 rules defined within the Network Policy
Ensure that you still in the lab-code directory. Within the terminal run the following commands.
You will now create all of the Star Wars API resources declared within the deploy-api.yaml file. Within the terminal run the following commands.
Confirm that the Cilium Network Policy has been deployed successfully. Within the terminal run the following commands.
Retrieve the DeathStar Service VIP assigned to the API. Within the terminal run the following command.
Now perform a curl request that originates from tiefighter pod and is sent to the /v1/request-landing API service endpoint. Within the terminal run the following commands. Notice the response which indicates success - which is expected.
Now perform a curl request that originates from xwing pod and is sent to the same /v1/request-landing API service endpoint. Within the terminal run the following commands. otice now that no response is given - this is based on the previously deployed network policy now blocking this type of traffic - which is what we want.
