From c445075f33d5be940c8301389c8962d8e3e2e3e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20Sch=C3=A4rz?= Date: Wed, 27 Sep 2023 16:47:58 +0200 Subject: [PATCH 1/7] try global config for netpol ns --- config/openshift/config.toml | 1 + .../en/docs/security/network-policies/_index.md | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/config/openshift/config.toml b/config/openshift/config.toml index 90270615..ebef8cba 100644 --- a/config/openshift/config.toml +++ b/config/openshift/config.toml @@ -9,3 +9,4 @@ title = "OpenShift Basics Training" enabledModule = "base openshift" distroName = "OpenShift" cliToolName = "oc" +netpolNS = "--namespace -netpol" diff --git a/content/en/docs/security/network-policies/_index.md b/content/en/docs/security/network-policies/_index.md index 6b525487..3eb50da6 100644 --- a/content/en/docs/security/network-policies/_index.md +++ b/content/en/docs/security/network-policies/_index.md @@ -11,6 +11,12 @@ One CNI function is the ability to enforce network policies and implement an in- If you are not yet familiar with Kubernetes Network Policies we suggest going to the [Kubernetes Documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/). {{% /alert %}} +{{% onlyWhen openshift %}} +{{% alert title="Warning" color="warning" %}} +For this lab to work it is vital that you use the namespace `-netpol`! +{{% /alert %}} +{{% /onlyWhen %}} + ### {{% task %}} Deploy a simple frontend/backend application @@ -22,10 +28,16 @@ The application consists of two client deployments (`frontend` and `not-frontend Create a file `simple-app.yaml` with the above content. +{{% onlyWhen openshift %}} +{{% alert title="Warning" color="warning" %}} +Remember to use the namespace `-netpol`, otherwise this lab will not work! +{{% /alert %}} +{{% /onlyWhen %}} + Deploy the app: ```bash -kubectl apply -f simple-app.yaml +kubectl apply -f simple-app.yaml {{% param netpolNS %}} ``` this gives you the following output: From 9fd569455c37920731d148e02c73efb131ac5bc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20Sch=C3=A4rz?= Date: Wed, 27 Sep 2023 16:51:31 +0200 Subject: [PATCH 2/7] try global config for netpol ns --- config/_default/config.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/_default/config.toml b/config/_default/config.toml index 79430bd7..0f0f99f6 100644 --- a/config/_default/config.toml +++ b/config/_default/config.toml @@ -79,6 +79,7 @@ enabledModule = "base cloudscale" distroName = "Kubernetes" cliToolName = "kubectl" customer = "none" +netpolNS = "" [params.images] deployment-image-url = "quay.io/acend/example-web-go:latest" From 59aaee021ed4538c47399406dafb0a200490c3d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20Sch=C3=A4rz?= Date: Wed, 27 Sep 2023 16:56:42 +0200 Subject: [PATCH 3/7] try global config for netpol ns --- config/baloise/config.toml | 1 + config/sbb/config.toml | 1 + config/techlab/config.toml | 1 + 3 files changed, 3 insertions(+) diff --git a/config/baloise/config.toml b/config/baloise/config.toml index 1b58f24a..3c6de4d2 100644 --- a/config/baloise/config.toml +++ b/config/baloise/config.toml @@ -11,6 +11,7 @@ distroName = "OpenShift" cliToolName = "oc" automaticSectionNumbers = true customer = "baloise" +netpolNS = "" [params.images] deployment-image-url = "REGISTRY-URL/acend/example-web-go:latest" diff --git a/config/sbb/config.toml b/config/sbb/config.toml index 05b83b8b..9e900994 100644 --- a/config/sbb/config.toml +++ b/config/sbb/config.toml @@ -10,6 +10,7 @@ enabledModule = "base ocplight nosecurity openshift sbb" distroName = "OpenShift" cliToolName = "oc" automaticSectionNumbers = true +netpolNS = "" [params.images] training-image-url = "quay.io/appuio/example-spring-boot:latest" diff --git a/config/techlab/config.toml b/config/techlab/config.toml index 6f3836d0..41acf275 100644 --- a/config/techlab/config.toml +++ b/config/techlab/config.toml @@ -31,6 +31,7 @@ imagePrefix = "appuio_" enabledModule = "base ocplight nosecurity openshift techlab" distroName = "OpenShift" cliToolName = "oc" +netpolNS = "" ############################## social links ############################## [params.links] From 0496b2aa044c712c9a82aaa18d1739803013974d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20Sch=C3=A4rz?= Date: Wed, 27 Sep 2023 17:08:10 +0200 Subject: [PATCH 4/7] try global config for netpol ns --- config/_default/config.toml | 2 +- config/baloise/config.toml | 1 - config/sbb/config.toml | 1 - config/techlab/config.toml | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) diff --git a/config/_default/config.toml b/config/_default/config.toml index 0f0f99f6..8a93aa32 100644 --- a/config/_default/config.toml +++ b/config/_default/config.toml @@ -79,7 +79,7 @@ enabledModule = "base cloudscale" distroName = "Kubernetes" cliToolName = "kubectl" customer = "none" -netpolNS = "" +netpolNS = "something else" [params.images] deployment-image-url = "quay.io/acend/example-web-go:latest" diff --git a/config/baloise/config.toml b/config/baloise/config.toml index 3c6de4d2..1b58f24a 100644 --- a/config/baloise/config.toml +++ b/config/baloise/config.toml @@ -11,7 +11,6 @@ distroName = "OpenShift" cliToolName = "oc" automaticSectionNumbers = true customer = "baloise" -netpolNS = "" [params.images] deployment-image-url = "REGISTRY-URL/acend/example-web-go:latest" diff --git a/config/sbb/config.toml b/config/sbb/config.toml index 9e900994..05b83b8b 100644 --- a/config/sbb/config.toml +++ b/config/sbb/config.toml @@ -10,7 +10,6 @@ enabledModule = "base ocplight nosecurity openshift sbb" distroName = "OpenShift" cliToolName = "oc" automaticSectionNumbers = true -netpolNS = "" [params.images] training-image-url = "quay.io/appuio/example-spring-boot:latest" diff --git a/config/techlab/config.toml b/config/techlab/config.toml index 41acf275..6f3836d0 100644 --- a/config/techlab/config.toml +++ b/config/techlab/config.toml @@ -31,7 +31,6 @@ imagePrefix = "appuio_" enabledModule = "base ocplight nosecurity openshift techlab" distroName = "OpenShift" cliToolName = "oc" -netpolNS = "" ############################## social links ############################## [params.links] From 218fef7a2255a333fef37dee2cf03e9a52cdac61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20Sch=C3=A4rz?= Date: Thu, 28 Sep 2023 08:25:40 +0200 Subject: [PATCH 5/7] not gonna try with global vars - just inserted onlyWhens --- config/_default/config.toml | 1 - config/openshift/config.toml | 1 - .../docs/security/network-policies/_index.md | 96 ++++++++++++++++++- 3 files changed, 94 insertions(+), 4 deletions(-) diff --git a/config/_default/config.toml b/config/_default/config.toml index 8a93aa32..79430bd7 100644 --- a/config/_default/config.toml +++ b/config/_default/config.toml @@ -79,7 +79,6 @@ enabledModule = "base cloudscale" distroName = "Kubernetes" cliToolName = "kubectl" customer = "none" -netpolNS = "something else" [params.images] deployment-image-url = "quay.io/acend/example-web-go:latest" diff --git a/config/openshift/config.toml b/config/openshift/config.toml index ebef8cba..90270615 100644 --- a/config/openshift/config.toml +++ b/config/openshift/config.toml @@ -9,4 +9,3 @@ title = "OpenShift Basics Training" enabledModule = "base openshift" distroName = "OpenShift" cliToolName = "oc" -netpolNS = "--namespace -netpol" diff --git a/content/en/docs/security/network-policies/_index.md b/content/en/docs/security/network-policies/_index.md index 3eb50da6..8b0d2098 100644 --- a/content/en/docs/security/network-policies/_index.md +++ b/content/en/docs/security/network-policies/_index.md @@ -17,7 +17,6 @@ For this lab to work it is vital that you use the namespace `-netpol`! {{% /alert %}} {{% /onlyWhen %}} - ### {{% task %}} Deploy a simple frontend/backend application First we need a simple application to show the effects on Kubernetes network policies. Let's have a look at the following resource definitions: @@ -36,9 +35,16 @@ Remember to use the namespace `-netpol`, otherwise this lab will not w Deploy the app: +{{% onlyWhen openshift %}} +```bash +kubectl apply -f simple-app.yaml --namespace -netpol +``` +{{% /onlyWhen %}} +{{% onlyWhenNot openshift %}} ```bash -kubectl apply -f simple-app.yaml {{% param netpolNS %}} +kubectl apply -f simple-app.yaml ``` +{{% /onlyWhenNot %}} this gives you the following output: @@ -51,9 +57,17 @@ service/backend created Verify with the following command that everything is up and running: +{{% onlyWhen openshift %}} +```bash +kubectl get all --namespace -netpol +``` +{{% /onlyWhen %}} +{{% onlyWhenNot openshift %}} ```bash kubectl get all ``` +{{% /onlyWhenNot %}} + ``` NAME READY STATUS RESTARTS AGE @@ -78,18 +92,41 @@ replicaset.apps/not-frontend-8f467ccbd 1 1 1 3m17s Let us make life a bit easier by storing the pods name into an environment variable so we can reuse it later again: +{{% onlyWhen openshift %}} +```bash +export FRONTEND=$(kubectl get pods -l app=frontend --namespace -netpol -o jsonpath='{.items[0].metadata.name}') +echo ${FRONTEND} +export NOT_FRONTEND=$(kubectl get pods -l app=not-frontend --namespace -netpol -o jsonpath='{.items[0].metadata.name}') +echo ${NOT_FRONTEND} +``` +{{% /onlyWhen %}} +{{% onlyWhenNot openshift %}} ```bash export FRONTEND=$(kubectl get pods -l app=frontend -o jsonpath='{.items[0].metadata.name}') echo ${FRONTEND} export NOT_FRONTEND=$(kubectl get pods -l app=not-frontend -o jsonpath='{.items[0].metadata.name}') echo ${NOT_FRONTEND} ``` +{{% /onlyWhenNot %}} ## {{% task %}} Verify connectivity Now we generate some traffic as a baseline test. +{{% onlyWhen openshift %}} +```bash +kubectl exec --namespace -netpol -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +``` + +and + + +```bash +kubectl exec --namespace -netpol -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +``` +{{% /onlyWhen %}} +{{% onlyWhenNot openshift %}} ```bash kubectl exec -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` @@ -100,6 +137,8 @@ and ```bash kubectl exec -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` +{{% /onlyWhenNot %}} + This will execute a simple `curl` call from the `frontend` and `not-frondend` application to the `backend` application: @@ -148,6 +187,18 @@ The policy will deny all ingress traffic as it is of type Ingress but specifies Ok, then let's create the policy with: +{{% onlyWhen openshift %}} +```bash +kubectl apply -f backend-ingress-deny.yaml --namespace -netpol +``` + +and you can verify the created `NetworkPolicy` with: + +```bash +kubectl get netpol --namespace -netpol +``` +{{% /onlyWhen %}} +{{% onlyWhenNot openshift %}} ```bash kubectl apply -f backend-ingress-deny.yaml ``` @@ -157,6 +208,7 @@ and you can verify the created `NetworkPolicy` with: ```bash kubectl get netpol ``` +{{% /onlyWhenNot %}} which gives you an output similar to this: @@ -172,6 +224,18 @@ backend-ingress-deny app=backend 2s We can now execute the connectivity check again: +{{% onlyWhen openshift %}} +```bash +kubectl exec --namespace -netpol -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +``` + +and + +```bash +kubectl exec --namespace -netpol -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +``` +{{% /onlyWhen %}} +{{% onlyWhenNot openshift %}} ```bash kubectl exec -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` @@ -181,6 +245,7 @@ and ```bash kubectl exec -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` +{{% /onlyWhenNot %}} but this time you see that the `frontend` and `not-frontend` application cannot connect anymore to the `backend`: @@ -230,12 +295,31 @@ The file should look like this: Apply the new policy: +{{% onlyWhen openshift %}} +```bash +kubectl apply -f backend-allow-ingress-frontend.yaml --namespace -netpol +``` +{{% /onlyWhen %}} +{{% onlyWhenNot openshift %}} ```bash kubectl apply -f backend-allow-ingress-frontend.yaml ``` +{{% /onlyWhenNot %}} and then execute the connectivity test again: +{{% onlyWhen openshift %}} +```bash +kubectl exec --namespace -netpol -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +``` + +and + +```bash +kubectl exec --namespace -netpol -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +``` +{{% /onlyWhen %}} +{{% onlyWhenNot openshift %}} ```bash kubectl exec -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` @@ -245,6 +329,7 @@ and ```bash kubectl exec -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` +{{% /onlyWhenNot %}} This time, the `frontend` application is able to connect to the `backend` but the `not-frontend` application still cannot connect to the `backend`: @@ -271,9 +356,16 @@ command terminated with exit code 28 Note that this is working despite the fact we did not delete the previous `backend-ingress-deny` policy: +{{% onlyWhen openshift %}} +```bash +kubectl get netpol --namespace -netpol +``` +{{% /onlyWhen %}} +{{% onlyWhenNot openshift %}} ```bash kubectl get netpol ``` +{{% /onlyWhenNot %}} ``` NAME POD-SELECTOR AGE From 532e12f0801fcb1c8aa4274426b3cd15dd975db9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20Sch=C3=A4rz?= Date: Thu, 28 Sep 2023 08:27:46 +0200 Subject: [PATCH 6/7] fix lint --- content/en/docs/security/network-policies/_index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/en/docs/security/network-policies/_index.md b/content/en/docs/security/network-policies/_index.md index 8b0d2098..257fa44b 100644 --- a/content/en/docs/security/network-policies/_index.md +++ b/content/en/docs/security/network-policies/_index.md @@ -17,6 +17,7 @@ For this lab to work it is vital that you use the namespace `-netpol`! {{% /alert %}} {{% /onlyWhen %}} + ### {{% task %}} Deploy a simple frontend/backend application First we need a simple application to show the effects on Kubernetes network policies. Let's have a look at the following resource definitions: From ffcbb720857ba5739cd4d9045fbe1dd635814a62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20Sch=C3=A4rz?= Date: Thu, 28 Sep 2023 08:31:09 +0200 Subject: [PATCH 7/7] fix kubectl -> {{% param cliToolName %}} --- .../docs/security/network-policies/_index.md | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/content/en/docs/security/network-policies/_index.md b/content/en/docs/security/network-policies/_index.md index 257fa44b..3111c3ae 100644 --- a/content/en/docs/security/network-policies/_index.md +++ b/content/en/docs/security/network-policies/_index.md @@ -38,12 +38,12 @@ Deploy the app: {{% onlyWhen openshift %}} ```bash -kubectl apply -f simple-app.yaml --namespace -netpol +{{% param cliToolName %}} apply -f simple-app.yaml --namespace -netpol ``` {{% /onlyWhen %}} {{% onlyWhenNot openshift %}} ```bash -kubectl apply -f simple-app.yaml +{{% param cliToolName %}} apply -f simple-app.yaml ``` {{% /onlyWhenNot %}} @@ -60,12 +60,12 @@ Verify with the following command that everything is up and running: {{% onlyWhen openshift %}} ```bash -kubectl get all --namespace -netpol +{{% param cliToolName %}} get all --namespace -netpol ``` {{% /onlyWhen %}} {{% onlyWhenNot openshift %}} ```bash -kubectl get all +{{% param cliToolName %}} get all ``` {{% /onlyWhenNot %}} @@ -95,17 +95,17 @@ Let us make life a bit easier by storing the pods name into an environment varia {{% onlyWhen openshift %}} ```bash -export FRONTEND=$(kubectl get pods -l app=frontend --namespace -netpol -o jsonpath='{.items[0].metadata.name}') +export FRONTEND=$({{% param cliToolName %}} get pods -l app=frontend --namespace -netpol -o jsonpath='{.items[0].metadata.name}') echo ${FRONTEND} -export NOT_FRONTEND=$(kubectl get pods -l app=not-frontend --namespace -netpol -o jsonpath='{.items[0].metadata.name}') +export NOT_FRONTEND=$({{% param cliToolName %}} get pods -l app=not-frontend --namespace -netpol -o jsonpath='{.items[0].metadata.name}') echo ${NOT_FRONTEND} ``` {{% /onlyWhen %}} {{% onlyWhenNot openshift %}} ```bash -export FRONTEND=$(kubectl get pods -l app=frontend -o jsonpath='{.items[0].metadata.name}') +export FRONTEND=$({{% param cliToolName %}} get pods -l app=frontend -o jsonpath='{.items[0].metadata.name}') echo ${FRONTEND} -export NOT_FRONTEND=$(kubectl get pods -l app=not-frontend -o jsonpath='{.items[0].metadata.name}') +export NOT_FRONTEND=$({{% param cliToolName %}} get pods -l app=not-frontend -o jsonpath='{.items[0].metadata.name}') echo ${NOT_FRONTEND} ``` {{% /onlyWhenNot %}} @@ -117,26 +117,26 @@ Now we generate some traffic as a baseline test. {{% onlyWhen openshift %}} ```bash -kubectl exec --namespace -netpol -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec --namespace -netpol -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` and ```bash -kubectl exec --namespace -netpol -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec --namespace -netpol -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` {{% /onlyWhen %}} {{% onlyWhenNot openshift %}} ```bash -kubectl exec -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` and ```bash -kubectl exec -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` {{% /onlyWhenNot %}} @@ -190,24 +190,24 @@ Ok, then let's create the policy with: {{% onlyWhen openshift %}} ```bash -kubectl apply -f backend-ingress-deny.yaml --namespace -netpol +{{% param cliToolName %}} apply -f backend-ingress-deny.yaml --namespace -netpol ``` and you can verify the created `NetworkPolicy` with: ```bash -kubectl get netpol --namespace -netpol +{{% param cliToolName %}} get netpol --namespace -netpol ``` {{% /onlyWhen %}} {{% onlyWhenNot openshift %}} ```bash -kubectl apply -f backend-ingress-deny.yaml +{{% param cliToolName %}} apply -f backend-ingress-deny.yaml ``` and you can verify the created `NetworkPolicy` with: ```bash -kubectl get netpol +{{% param cliToolName %}} get netpol ``` {{% /onlyWhenNot %}} @@ -227,24 +227,24 @@ We can now execute the connectivity check again: {{% onlyWhen openshift %}} ```bash -kubectl exec --namespace -netpol -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec --namespace -netpol -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` and ```bash -kubectl exec --namespace -netpol -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec --namespace -netpol -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` {{% /onlyWhen %}} {{% onlyWhenNot openshift %}} ```bash -kubectl exec -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` and ```bash -kubectl exec -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` {{% /onlyWhenNot %}} @@ -298,12 +298,12 @@ Apply the new policy: {{% onlyWhen openshift %}} ```bash -kubectl apply -f backend-allow-ingress-frontend.yaml --namespace -netpol +{{% param cliToolName %}} apply -f backend-allow-ingress-frontend.yaml --namespace -netpol ``` {{% /onlyWhen %}} {{% onlyWhenNot openshift %}} ```bash -kubectl apply -f backend-allow-ingress-frontend.yaml +{{% param cliToolName %}} apply -f backend-allow-ingress-frontend.yaml ``` {{% /onlyWhenNot %}} @@ -311,24 +311,24 @@ and then execute the connectivity test again: {{% onlyWhen openshift %}} ```bash -kubectl exec --namespace -netpol -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec --namespace -netpol -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` and ```bash -kubectl exec --namespace -netpol -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec --namespace -netpol -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` {{% /onlyWhen %}} {{% onlyWhenNot openshift %}} ```bash -kubectl exec -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec -ti ${FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` and ```bash -kubectl exec -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 +{{% param cliToolName %}} exec -ti ${NOT_FRONTEND} -- curl -I --connect-timeout 5 backend:8080 ``` {{% /onlyWhenNot %}} @@ -359,12 +359,12 @@ Note that this is working despite the fact we did not delete the previous `backe {{% onlyWhen openshift %}} ```bash -kubectl get netpol --namespace -netpol +{{% param cliToolName %}} get netpol --namespace -netpol ``` {{% /onlyWhen %}} {{% onlyWhenNot openshift %}} ```bash -kubectl get netpol +{{% param cliToolName %}} get netpol ``` {{% /onlyWhenNot %}}