Gayblack Canadian Man

Foreign Policy Analysis
Securing traffic between pods using policies in Azure Kubernetes Service | Azure Tips and Tricks

Securing traffic between pods using policies in Azure Kubernetes Service | Azure Tips and Tricks


>>Learn how to secure
traffic between pods using network policies in Azure Kubernetes Service in this
episode of Azure Tips and Tricks. By default, components in a Kubernetes cluster can
receive traffic from anywhere. To secure your AKS cluster, you can implement a network
policy that defines which components can receive
traffic from which sources. Let’s see how that works. We’ll work in the Azure Cloud Shell which you can reach at this address. To get started we need to create a new AKS cluster with a
network policy enabled. So first, I’ll create some parameters for Resource
Group, cluster name, and location, and I’ll create
a resource group. All right. Now to create a virtual
network that we’ll use, and now create a service principal and assign that to
the virtual network. Don’t worry too much about this code. There is a link to the scripts
in the video details. All right. Next I’ll create the AKS cluster
with the network policy. This uses the Azure
network policy which is Azure’s own implementation
called Azure network policies. You can also use the
Calico network policies which is an open source
network security solution. Here we go. I’ll skip
to when it’s done. Here we go. Now I have to connect to kube control to my Kubernetes
cluster like this, and say yes to these as
I’ve done this before. Next I’ll create a
namespace that we can use. I’ll call it test, like this, and I’ll label it with
a purpose for testing. That’s it. Let’s test something. These commands create a
back-end pod that runs engine X to simulate a web
application. All right. Next we’ll create another pod
and attach a terminal to it. There we go. This is the
terminal of the pod. Now let’s try to do a get
on the nginx port that returns the HTML of the pod so
we can access it by default. Let’s secure this. I’ll start by denying all traffic
and then relaxing the rules. First, I’ll create a file called backend-policy.yaml
with this code in it. This is YAML code that
defines the network policy. It doesn’t contain rules for ingress, so inbound traffic which means that it will block
all ingress traffic. In Azure Cloud Shell
we can simply upload the file like this so
that we can work with it. Okay. Now to apply the network
policy from the YAML file. That’s it Let’s run a pod again
and attach a terminal to it. There we go. Now let’s try to get the HTML from the
nginx port again. This time it’s times out
because all traffic is denied. So that works. Here is the network
policy file again. Now I’ll change it. This says that ingress traffic is allowed from pods
that have the labels, app, web app, and role, frontend. This network policy
is based on labels, but you can also create a
policy based on namespaces. Lets upload this new version
of the file to CloudShell. All right. Now let’s apply
the new network policy. That’s it. Now to try it out. First I’ll schedule a pod with
the right labels like this. Here we go. Let’s try
it out. That works. I can connect to the backend pod. Let’s exit this. All right, that worked. But let’s see if traffic from
other sources is actually blocked. Let’s create a pod without
the right labels like this. Okay. Now let’s try it again. No, this doesn’t work
and it shouldn’t. So the network policy works. Securing traffic
between components in your Kubernetes Cluster
is very important, and you can do it with
the AKS network policies. Go and check it out.

Leave a Reply

Your email address will not be published. Required fields are marked *