Recently after analysing requirements for application that I manage I realised I’m in need of a way to secure communication within my cluster – so in a nutshell is not an open wilderness.
While looking at several alternatives one was very appealing especially after watching the following video….
And yes it is project Calico.
So I decided to do some more testing with it. And spin it up in a locally running cluster. To have some more fun this time – there are more nodes π
The difference in the below config is that we disable the default CNI.
kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 networking: podSubnet: "10.240.0.0/16" disableDefaultCNI: true nodes: - role: control-plane kubeadmConfigPatches: - | kind: InitConfiguration nodeRegistration: kubeletExtraArgs: node-labels: "ingress-ready=true,zone=cookie,region=oo-space-1" extraPortMappings: - containerPort: 30080 hostPort: 88 protocol: TCP - containerPort: 30443 hostPort: 444 protocol: TCP - role: worker kubeadmConfigPatches: - | kind: JoinConfiguration nodeRegistration: kubeletExtraArgs: node-labels: "zone=alpha,region=eu-west-1" - role: worker kubeadmConfigPatches: - | kind: JoinConfiguration nodeRegistration: kubeletExtraArgs: node-labels: "zone=alpha,region=eu-west-1" - role: worker kubeadmConfigPatches: - | kind: JoinConfiguration nodeRegistration: kubeletExtraArgs: node-labels: "zone=beta,region=eu-west-1" - role: worker kubeadmConfigPatches: - | kind: JoinConfiguration nodeRegistration: kubeletExtraArgs: node-labels: "zone=beta,region=eu-west-1" - role: worker kubeadmConfigPatches: - | kind: JoinConfiguration nodeRegistration: kubeletExtraArgs: node-labels: "zone=gamma,region=eu-centra l-1" - role: worker kubeadmConfigPatches: - | kind: JoinConfiguration nodeRegistration: kubeletExtraArgs: node-labels: "zone=gamma,region=eu-central-1" - role: worker kubeadmConfigPatches: - | kind: JoinConfiguration nodeRegistration: kubeletExtraArgs: node-labels: "zone=gamma,region=eu-central-1"
Once the cluster is up and running I used kapp to deploy Calico by issuing the following command:
kapp deploy -a calico -f <(curl https://docs.projectcalico.org/v3.17/manifests/calico.yaml)

Shortly after the nodes applied configuration change Calico was running on all nodes

That gets you going right away! But in order to really understand now the power you have I can highly recommend looking at example networkPolicies
Once you have done that there is also a great tool to validate not only NetworkPolicies but your kubernetes cluster configuration in general called sonobuoy
sonobuoy run --e2e-focus "NetworkPolicy" --e2e-skip ""
Happy securing of your k8s cluster!