Calico and stars policy

Anirban Sen Chowdhary

Transcript of Calico and stars policy

Page 1: Calico and stars policy

Anirban Sen Chowdhary

Page 2: Calico and stars policy

“Project Calico is the world's simplest, most scalable, open networking solution for OpenStack”. 

Calico, a pure layer3 approach to Virtual Networking for highly scalable & flexible Data centers. It is a open-source technology, that  implements  large, standards-based cloud data center infrastructures 

Calico supports rich and flexible network policy that enforces on every node in a cluster, to provide tenant isolation, security groups, and external reachability constraints.

Page 3: Calico and stars policy

Calico has following features:.

Page 4: Calico and stars policy

Calico has following features:.

Page 5: Calico and stars policy

Calico has following features:.

Page 6: Calico and stars policy

Calico has following features:.

Page 7: Calico and stars policy

Calico has following features:.

Page 8: Calico and stars policy

There is security layer into Calico that enables developers and operations staff to easily define with fine granularity which connections are allowed, and which are not. These rules implement and extend the Kubernetes Network Policy API.

Page 9: Calico and stars policy

There are basically 3 policy demo we can configure:* Simple Policy Demo * Stars Policy Demo * Advanced Policy Demo

Page 10: Calico and stars policy

We will discuss on the overview of Star Policy Demo.

Page 11: Calico and stars policy
Page 12: Calico and stars policy

It includes demo that sets up a frontend and backend service, as well as a client service for all running on Kubernetes.It then configures network policy on each service..

Page 13: Calico and stars policy

We need to install Kubernetes in the system which includes Network Policy API.We need to get the following thing:Calico

and then need to get into star-policy directory of Calico

Page 14: Calico and stars policy

1) Create the frontend, backend, client, and management-ui apps:

The management UI runs as a NodePort Service on Kubernetes, and shows the connectivity of the Services.Once all the pods are started, they should have full connectivity.

Page 15: Calico and stars policy

2) Enable isolation:

Following commands will prevent all access to the frontend, backend, and client Services.

Let’s now refresh the management UI which may take up to 10 seconds for changes to be reflected in the UI and now since we’ve enabled isolation, the UI can no longer able to access the pods, and because of that reason all they might no longer be shown up in the UI.

Page 16: Calico and stars policy

3) Allow the UI to access the Services using NetworkPolicy objects:

If we now refresh after some time, the UI - it should now show the Services, but also in this case, they should not be able to access each other any more..

We will access allow-ui.yaml and allow-ui-client.yaml

Page 17: Calico and stars policy

4) Creation of the “backend-policy.yaml” file to allow traffic from the frontend to the backend:

Some points now we can see now as follows:

* The frontend can now access the backend.* The backend cannot access the frontend at all.* The client cannot access the frontend, nor can it access the backend.

Page 18: Calico and stars policy

5) Exposing of the frontend service to the client namespace. :

As now the client can now access the frontend, but not the backend. Neither the frontend nor the backend can initiate connections to the client. The frontend can still access the backend.

As we can see at the end, we need to access frontend-policy.yaml to create the policy for accessing the frontend

Page 19: Calico and stars policy

In next slides, we will discuss the overview on other policy demo.

Lets share our knowledge and effort on community so that the Calico community grows.

Page 20: Calico and stars policy

For more information visit

Page 21: Calico and stars policy