Calico and Simple Policy

Project Calico is the world's simplest, most scalable, open networking solution for OpenStack”. 

Calico, a pure layer3 approach to Virtual Networking for highly scalable & flexible Data centers. It is a open-source technology, that implements large, standards-based cloud data center infrastructures Calico supports rich and flexible network policy that enforces on every node in a cluster, to provide tenant isolation, security groups, and external reachability constraints.

There is security layer into Calico that enables developers and operations staff to easily define with fine granularity which connections are allowed, and which are not. These rules implement and extend the Kubernetes Network Policy API.

There are basically 3 policy demo we can configure:

  • Simple Policy Demo
  • Stars Policy Demo
  • Advanced Policy Demo

We will discuss on the overview of Simple Policy Demo. Lastime, we discussed Star Policy here: https://www.slideshare.net/anir37/calico-and-stars-policy

Simple Policy Demo

It includes demo try out Kubernetes NetworkPolicy with Calico, as well as a client service for all running on Kubernetes.

It requires a Kubernetes cluster configured with Calico networking, and expects that you have kubectl configured to interact with the cluster.

We need to install Kubernetes in the system which includes Network Policy API.

We need to get the following thing: Calico and then need to get into star-policy directory of Calico 1.png

We need to create some nginx pods in the policy-demo Namespace, and expose them through a Service.: 2.png

Also we need to ensure the nginx service is accessible: 3.png

Enable isolation:

Now this is the important part…. let’s turn on isolation in our policy-demo Namespace which will then prevent connections to pods in this Namespace. We will now run the command that creates a NetworkPolicy which implements a default deny behavior for all pods in the policy-demo Namespace. 5.png

Allow Access using a NetworkPolicy :

Now, let’s enable access to the nginx Service using a NetworkPolicy. This will allow incoming connections from our access Pod, but not from anywhere else.We need to now create a network policy access-nginx with the following contents: 6.png

That’s it! We should now be able to access the Service from the access Pod. 7.png

We can remove the policy using following: 8.png

As you can see, this is just a simple example of the Kubernetes NetworkPolicy API and how Calico can secure your Kubernetes cluster.

For more information visit

https://www.projectcalico.org/

https://docs.projectcalico.org/v2.6/introduction/

https://blog.tigera.io/tagged/calico

What's in Calico 3

Project Calico is the world's simplest, most scalable, open networking solution for OpenStack”. 

Calico, a pure layer3 approach to Virtual Networking for highly scalable & flexible Data centers. It is a open-source technology, that implements large, standards-based cloud data center infrastructures Calico supports rich and flexible network policy that enforces on every node in a cluster, to provide tenant isolation, security groups, and external reachability constraints.

Recently, Calico 3 has been launched with a bang!

We will now check what’s there in new Calico version 3.

What’s in Calico 3 ?

Calico has now following features:

  • Calico now stores its data in etcd version 3
  • Felix now compiles and runs on Windows in policy-only mode.
  • This version of Calico easily supports migration and upgrade from Calico v2.6.5
  • calicoctl enhancements with new features.

Calico other changes:

  • Calico now assigns the host side of veth pairs a MAC address of ee:ee:ee:ee:ee:ee. If this fails, it uses a kernel-generated MAC address as before. For more information, refer to the Troubleshooting FAQ. cni-plugin
  • The CNI plugin now offers an optional environment variable called CNI_OLD_CONF_NAME. If set, the CNI plug-in cleans up old configuration data during an upgrade, making it easier to migrate to a new CNI_CONF_NAME value. cni-plugin
  • The CNI plugin no longer throws a file exists message when programming routes. cni-plugin

Calico other changes:

  • After a period of depreciation, this release removes support for the ETCD_AUTHORITY and ETCD_SCHEME environment variables. Calico no longer reads these values. If you have not transitioned to ETCD_ENDPOINTS, you must do so as of v3.0. Refer to Configuring calicoctl
  • etcdv3 datastore for more information.
  • A new node controller for Kubernetes deployments clears data associated with deleted nodes from the Calico datastore, preventing conflicts that can lead to crash loops.

Calico other changes:

  • Calico now works with Kubernetes network services proxy with IPVS/LVS. Calico enforces network policies with kubeproxy running in IPVS mode for Kubernetes clusters. Currently, only workload ingress policy is supported.
  • Rolling update is now enabled by default in the Kubernetes self-hosted manifests. calico
  • The CNI plugin now offers an optional environment variable called CNI_OLD_CONF_NAME.

Unfortunately, there are few limitations found as follows:

  • Currently, it is offered only for Kubernetes, OpenShift, and host endpoint integrations.
  • GoBGP is currently not supported.
  • Route reflectors cannot be clustered.

For more information visit

https://www.projectcalico.org/

https://docs.projectcalico.org/v2.6/introduction/

https://blog.tigera.io/tagged/calico

Calico and Stars Policy

Project Calico is the world's simplest, most scalable, open networking solution for OpenStack”. 

Calico, a pure layer3 approach to Virtual Networking for highly scalable & flexible Data centers. It is a open-source technology, that implements large, standards-based cloud data center infrastructures Calico supports rich and flexible network policy that enforces on every node in a cluster, to provide tenant isolation, security groups, and external reachability constraints.

Calico has following features:

  • Scalable Policy-driven
  • Network policy
  • Integrated with all major cloud platform
  • Simple

There is security layer into Calico that enables developers and operations staff to easily define with fine granularity which connections are allowed, and which are not. These rules implement and extend the Kubernetes Network Policy API.

There are basically 3 policy demo we can configure:

  • Simple Policy Demo
  • Stars Policy Demo
  • Advanced Policy Demo

We will discuss on the overview of Star Policy Demo.

1.png

It includes demo that sets up a frontend and backend service, as well as a client service for all running on Kubernetes. It then configures network policy on each service..

We need to install Kubernetes in the system which includes Network Policy API. We need to get the following thing: Calico and then need to get into star-policy directory of Calico 2.png

Create the frontend, backend, client, and management-ui apps: 3.png The management UI runs as a NodePort Service on Kubernetes, and shows the connectivity of the Services. Once all the pods are started, they should have full connectivity.

Enable isolation: Following commands will prevent all access to the frontend, backend, and client Services. 4.png Let’s now refresh the management UI which may take up to 10 seconds for changes to be reflected in the UI and now since we’ve enabled isolation, the UI can no longer able to access the pods, and because of that reason all they might no longer be shown up in the UI.

Allow the UI to access the Services using NetworkPolicy objects: If we now refresh after some time, the UI - it should now show the Services, but also in this case, they should not be able to access each other any more.. 5.png We will access allow-ui.yaml and allow-ui-client.yaml

Creation of the “backend-policy.yaml” file to allow traffic from the frontend to the backend: Some points now we can see now as follows:

  • The frontend can now access the backend.
  • The backend cannot access the frontend at all.
  • The client cannot access the frontend, nor can it access the backend.

6.png

Exposing of the frontend service to the client namespace. : As now the client can now access the frontend, but not the backend. Neither the frontend nor the backend can initiate connections to the client. The frontend can still access the backend. 7.png As we can see at the end, we need to access frontend-policy.yaml to create the policy for accessing the frontend

In next slides, we will discuss the overview on other policy demo. Lets share our knowledge and effort on community so that the Calico community grows.

For more information visit

https://www.projectcalico.org/

https://docs.projectcalico.org/v2.6/introduction/

https://blog.tigera.io/tagged/calico

GitHub – anirban37

Anirban Sen Chowdhary

Bangalore,Hyderabad