vK8s Network Policy

Objective

This document provides instructions on how to configure and apply a network policy for traffic to/from virtual K8s (vK8s) Pods using policy rules and policy sets. To know more about the network policy, see Volterra Network Policy.

Using the instructions provided in this document, you can create network policies with policy rules controlling the traffic to secure the applications in your namespace.


Prerequisites


Configuration

The following image shows configuration workflow for policy rule, policy, and policy set:

image5
Figure: Creating a Network Policy

Configuring network policy in VoltConsole includes creating network policy sets in VoltConsole using the guided wizard. You can create and apply the network policies and policy rules as part of the network policy set creation. Alternatively, you can create individual policy rules and apply them to policies which in turn can be applied to policy sets. The steps presented in this guide show creating the policy using the guided wizard.


Create Network Policy Set

Step 1: Log into VoltConsole and start creating vK8s network policy set.
  • Click App on the namespace selector and select your application namespace from the namespace drop-down list. To create a namespace, click General on the namespace selector and select Personal Management -> My Namespaces. Click Add namespace to open the namespace creation form, fill the required fields, and click save.
  • Click Security -> vK8s Network Policy in the configuration menu and select Network Policy Sets in the options. Click Add network policy set to open the network policy set configuration wizard.

ns nav
Figure: Network Policy Set Creation

  • Enter a name and click select policy object. The network policy selection form opens.
Step 2: Start creating network policy.
  • Click Add new Network Policy in the network policy selection form. This starts new network policy creation.

add pol 1
Figure: Add New Network Policy

  • Enter a name in the Name field of the network policy creation screen.
  • Configure the Local Endpoint by using one of the following options:

    • Prefix: Prefix is ip prefix written in from <ip address>/<prefix length>. This example configures a prefix 10.1.2.3/32.
    • Label Selector: Label selector is a selector expression. If the labels of an IP address match the selector expression, that IP is considered as a local endpoint.

pol loc ep
Figure: Local Endpoint Configuration

Step 3: Create network policy rules.
Step 3.1: Create rules for ingress traffic.
  • Go to Ingress Rules section and click Add network policy rule. This starts new network policy rule creation.
  • Enter a name, select an option for the Action field. The implicit action is to deny all traffic.
  • Configure the remote endpoint as per the following guidelines:

    • IP Prefix: Prefix is ip prefix in the <ip address>/<prefix length> format. Enter the IP prefix in the Prefix field. You can add more than one entry using the Add item option.
    • Prefix Selector: Prefix selector is a selector expression. If the labels of an IP address match the selector expression, that IP is considered. Enter the expression in the Selector Expression field. You can add more than one entry using the Add item option.
    • IP Prefix Set: A set of IP prefixes. Click Select ref object and add IP prefix objects. You can also create a new IP prefix set from here. Click Select ref object to add the IP prefix set to the rule.
  • Select an option from the drop-down list of the Protocol field.
  • Click Add item in the Port Ranges section and add a range of ports in the <startport-endport> format.
  • Select label keys in the Label Matcher field and these will be matched in the prefix selector of endpoint configuration. You can add multiple keys.

The following sample is an ingress rule configuration to allow TCP traffic from prefix 1.1.1.1/24:

ingr rule
Figure: Ingress Rule Configuration

  • Click Save and Exit. The rule gets created and applied to the network policy configuration.

Note: You can add more rules using the Add network policy rule option.

Step 3.2: Create rules for egress traffic.
  • Go to Egress Rules section and click Add network policy rule.
  • Create egress rule and apply to network policy configuration as per the guidelines mentioned in Step 2.1.

The following sample is an egress rule configuration to deny TCP traffic to prefix 2.2.2.2/24:

egr rule
Figure: Egress Rule Configuration

The following sample is the network policy configuration with both ingress and egress rules.

npol with rules
Figure: Network Policy Configuration with Ingress and Egress Rules

Step 4: Complete network policy and policy set creation.
  • Click Continue in the network policy configuration to create the network policy and return to the network policy selection screen of network policy set configuration wizard. The created network policy gets displayed in the list of policy objects.

add pol 2
Figure: Network Policy Selection

  • Select the network policy and click Select policy object to apply the network policy to the policy set.

pol set
Figure: Network Policy Set Creation

  • Click Save and Exit to complete creating the vK8s network policy set.
Step 5: Verify the policy operation.

You can verify the policy operation by sending traffic to the endpoints or from the VoltConsole.

  • Verify the network policy by sending traffic to your egress traffic from your local endpoint or sending traffic from a remote endpoint (as specified in ingress rule) to your local endpoint. Use tools such as ping to verify if the traffic is allowed or rejected based on the rule configuration.

Note: The implicit action for any rule is to deny the traffic.

  • Navigate to Security -> vK8s Network Policy -> Network Policies in your application namespace. Check the Hits field for your policy to view how many times the policy is applied. Click on the value on the Hits field for your policy to view the rule hits.

Concepts


API References