Use ACK GlobalNetworkPolicy - Container Service for Kubernetes

Kubernetes NetworkPolicy is a network management policy at the pod level that uses label selectors. As an upgrade from this, Container Service for Kubernetes (ACK) provides GlobalNetworkPolicy, which adds cluster-level network policy functionality for network policy management at the cluster dimension. This topic describes how to use ACK GlobalNetworkPolicy to manage network security for your cluster in a fine-grained manner.

Prerequisites

An ACK Pro cluster is created and the cluster uses Terway as the network plug-in. For more information, see Create an ACK managed cluster.
The version of Terway is 1.9.4 or later with the NetworkPolicy feature enabled. For more information, see Enable network policies.
Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Step 1: Install the Poseidon component

Poseidon is a component provided by ACK to support Kubernetes network policies in ACK clusters.

Install the Poseidon component version 0.5.1 or later and enable the ACK NetworkPolicy option.

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose Operations > Add-ons.
On the Add-ons page, click the Networking tab, and in the lower right corner of the Poseidon component card, click Install.
In the Install Poseidon dialog box, check Enable ACK NetworkPolicy, and then click OK.

Step 2: Use ACK GlobalNetworkPolicy

The definition and usage of ACK GlobalNetworkPolicy are similar to Kubernetes NetworkPolicy. By default, rules of ACK GlobalNetworkPolicy affect all nodes and pods in the cluster.

Syntax description

The basic structure of ACK GlobalNetworkPolicy is as follows:

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy
metadata:
  name: example
spec:
  podSelector:      # The scope of the NetworkPolicy's effect on Pods, default: match all Pods.
    matchLabels:
      foo: bar      # Select Pods with the label foo:bar.
  namespaceSelector:   # The scope of the NetworkPolicy's effect on Namespaces. Default: match all Namespaces, this rule has an AND relationship with podSelector.
    matchLabels:
      foo: bar      # Select Namespaces with the label foo:bar.
  policyTypes:      # The direction in which the NetworkPolicy takes effect.
    - Ingress       # The policy will apply to inbound traffic.
    - Egress        # The policy will apply to outbound traffic.
  ingress: []       # Inbound rules.
  egress: []        # Outbound rules.

Limits

Take note of the following limits when you use rules in a single cluster:

The number of GlobalNetworkPolicy resources should be less than 100.
The total number of inbound ingress and outbound egress rules in a single GlobalNetworkPolicy should be less than 20.
The number of ports ports in a single inbound or outbound rule should be less than 10.

ingress/egress rules

ingress and egress rules set the source and destination addresses of traffic allowed through the NetworkPolicy. The structure of both rules is the same, specifying the allowed communication range through from (for ingress) and to (for egress).

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy
metadata:
  name: example                          # Policy name
spec:
  podSelector: {}                       
  namespaceSelector: null                     
  policyTypes:
    - Ingress                            # The policy includes inbound rules
    - Egress                             # The policy includes outbound rules
  ingress:
    - from:
        - namespaceSelector:             # Allow inbound from Pods in Namespaces with matching labels.
            matchLabels:
              foo: bar
          podSelector:                   # Allow inbound from Pods with matching labels.
            matchLabels:
              foo: bar
        ports:
          - protocol: TCP                # Allow TCP traffic, value can be TCP or UDP.
            port: 443                    # Allow port 443.
    - from:
        - ipBlock:                       # Define the CIDR block allowed to initiate inbound requests from outside the cluster.
            cidr: "172.16.0.0/16"
            except:
              - "172.16.1.0/24"          # Exclude the CIDR block "172.16.1.0/24" from the allowed inbound sources outside the cluster.
  egress:
    - to:
        - namespaceSelector:             # Allow outbound to Pods in Namespaces with matching labels.
            matchLabels:
              foo: bar
          podSelector:                   # Allow outbound to Pods with matching labels.
            matchLabels:
              foo: bar
    - to:
        - ipBlock:                       # Define the CIDR block allowed for outbound traffic from the cluster.
            cidr: "172.16.0.0/16"
            except:
              - "172.16.1.0/24"          # Exclude the CIDR block "172.16.1.0/24" from the allowed outbound destinations outside the cluster.

Field	Description
ipBlock	The static CIDR block used to describe traffic addresses outside the cluster. This block defines which IP address ranges outside the cluster are allowed or denied to enter or leave the pods inside the cluster.
podSelector	This selector dynamically selects addresses using labels, and is used to describe the addresses of pods in the cluster.

When creating a network policy, you cannot use ipBlock and podSelector or ipBlock and namespaceSelector in the same rule. You should separate ipBlock and podSelector as follows:

ingress:
  - from:
      - ipBlock:               # The first source condition is ipBlock.
          cidr: "192.168.0.0/16"
      - podSelector:           # The second source condition is podSelector.
          matchLabels:
            key: value
    ports:
      - protocol: TCP
        port: 80

The following sample code provides an incorrect example, which results in mutual exclusion.

Expand incorrect example.

ingress:
  - from:
      - ipBlock:                  # CIDR block definition.
          cidr: "192.168.0.0/16"
        podSelector:              # Error: Cannot be used with ipBlock in the same entry.
          matchLabels:
            key: value
    ports:
      - protocol: TCP
        port: 443

Examples

All examples in this section have the podSelector parameter configured. You can configure this parameter based on your business requirements.

Important

Take note that if podSelector and namespaceSelector are not specified when you configure the GlobalNetworkPolicy, the policy applies to all pods in the cluster.

Reject all traffic rules for specific pods

The following YAML file defines a GlobalNetworkPolicy that applies to pods with the foo: bar label. This policy rejects all inbound and outbound network traffic to and from these pods.

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector:
    matchLabels:
      foo: bar
  namespaceSelector: null
  policyTypes:
    - Ingress
    - Egress
  ingress: []
  egress: []

Allow specific pods to access DNS

The following YAML file defines a GlobalNetworkPolicy that applies to pods with the foo: bar label. This policy allows communication between these pods and the DNS service running in the cluster.

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy                     
metadata:
  name: allow-dns                            
spec:
  podSelector:                                
    matchLabels:
      foo: bar                                
  namespaceSelector: null                 
  policyTypes:                                
    - Egress
  egress:                                     
    - to:                                 
        - namespaceSelector:              
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns