deploying calico on kubernetes
Post on 21-Jan-2018
212 Views
Preview:
TRANSCRIPT
Anirban Sen Chowdhary
Calico which is a open source project is a new approach to enables networking and network policy in Kubernetes clusters across the cloud. Calico works on all major public cloud providers and private cloud as well. Calico uses a pure IP networking fabric that provide high performance networking, and its battle-tested policy engine enforces high-level, intent-focused network policy.
This slides will guide you to configure a Kubernetes cluster configured with Calico networking; all you need is you have kubectl configured to interact with the cluster.
After your Kubernetes is started and ready the first step is to install Project Calico using kubectl: kubectl apply -f https://docs.projectcalico.org/v2.4/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.6/calico.yaml
As you can see the following:
We will deploy pods in a Kubernetes Namespaces.Now, we need to create a namespace Object to launch applications in.We can do this using kubectl create followed by ns for namespace, and then the name of our namespace, like so: kubectl create ns policy-demo
As you can see the following namespace created:
Now let's create some nginx demo pods in the policy-demo namespace by using the kubectl run command : # Run the Pods.
kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx
As you can see the following "nginx" created:
And then expose the pods through a service using the kubectl expose command: # Create the Service.
kubectl expose --namespace=policy-demo deployment nginx --port=80
As you can see the following "nginx" exposed:
We will now apply our pod.yaml file.To apply the pod, we'll once again use kubectl create, but this time with the -f flag: kubectl create -f pod.yaml
As you can see the following :
Once the pod.yaml file is applied, we should be able to access the pod and receive back the nginx welcome page using the following command: kubectl exec -n policy-demo client -- wget -T 2 -q nginx -O -
As you can see the following :
Next, we need to annotate the policy-demo namespace to deny all incoming (ingress) traffic using the kubectl annotate command: kubectl annotate ns policy-demo "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
As you can see Calico will then prevent connections to pods in this Namespace and turn on isolation :
Now, remote access to this pod should be unavailable, and we should receive a timeout warning. kubectl exec -n policy-demo client -- wget -q nginx -T 2 -O -
We can see below :
Next, we'll allow access to the pod by applying the network-policy.yaml fileApply the network-policy.yaml file using the kubectl create command with the -f flag:
kubectl create -f network-policy.yaml
We can see below :
Now, using our network-policy.yaml file that we just applied, this should be allowing incoming traffic to pods running nginx. We can test this using the following command:
kubectl exec -n policy-demo client -- wget -q nginx -T 2 -O -
We can see below this will allow incoming connections from our Pod:
Now, we can say that we have now installed Project Calico, deployed a couple pods, isolated the pods by default, and then applied policies to enable access to pods running nginx.
We can see below this if we use the following commands:
kubectl get pods --all-namespaces
top related