Calico network & on premises network fabric

Question

Calico network & on premises network fabric

prasenforu opened this issue 7 years ago · comments

prasenforu commented 7 years ago

Communication between calico network & Datacenter network with firewall.

I came out some used case where this discussion fall.

Let me explain little briefly.

We running multiple pod inside kubernetes platform. Take examples APP-1, APP-2 APP-3.

Now my multiple databases (DB-1, DB-2, DB-3) running outside kubernetes cluser. In front of all database there was firewall.

Now App-1only can connect DB-1 no other container should connect DB-1 similarly App-2 only connect DB-2 Not others for App-3 also same way.

As kubernetes uses flat networking so each container can talk other even outside side of kubernetes cluster.

Can you please explain how networks policy will be in this given scenario & what changes (rule or policy) we have to do in external firewall.

Erik Stidham · Answer 1 · Wed Aug 16 2017 00:16:45 GMT+0800 (China Standard Time)

I'm copying some of my answer from your question under the other issue #87. When I answered there I did not realize the repo this was in and answered thinking this was an all Calico setup (calico for networking too).

If you are only concerned about limiting the traffic from pods, it is possible to write policy that applies to all pods except certain pods, so you could have a policy that applied to all pods except APP-1 which denied traffic to DB-1.
- This would require the DB firewalls allow traffic from all the K8s hosts and depend on the policy applied to pods.
- This would also mean that any pods ran with host networking could access the DBs
Use host networking on the APP pods, then traffic would not be NAT'ed and traffic could be restricted by port

@kprabhak Would you have any suggestions or other alternatives for the above comment/question? Keep in mind that this question is with Canal (I only mention that because I didn't realize that on the other question).

prasenforu · Answer 2 · Fri Aug 18 2017 17:51:58 GMT+0800 (China Standard Time)

If I use host networking on the APP pods, then DB firewalls need to allow traffic from all the K8s hosts.

Not sure how traffic will be restricted by port. because we can not control the source port number when APP pods traffic will exit from K8s hosts.

Erik Stidham · Answer 3 · Sat Aug 19 2017 01:53:51 GMT+0800 (China Standard Time)

You're right, I was wrong with my Host networking comments.

Though you can use use a node selector to specify which node(s) the app will be started on, then you could limit the hosts traffic would be coming from.

prasenforu · Answer 4 · Sat Aug 19 2017 02:04:56 GMT+0800 (China Standard Time)

If I allow that host then in that host if 50 pods running then all pods allow to connect db server. Because you set a rule in firewall allow that host (ip).
So again it not full fill my requirement.

Erik Stidham · Answer 5 · Sat Aug 19 2017 02:15:44 GMT+0800 (China Standard Time)

Those pods would not be allowed to connect if you wrote policy that denied that traffic, unless you are running pods with host networking. That is what my 1st bullet point was about.

I know you are using canal but could you switch to Calico for networking (instead of flannel) and then peer with your network fabric and then the traffic from the pods could be routed directly without being NAT'ed. Then the firewalls could allow traffic from those specific pod IPs.

Erik Stidham · Answer 6 · Sat Aug 19 2017 02:16:38 GMT+0800 (China Standard Time)

@gunjan5 Do you know if there are any features with flannel that would allow what @prasenforu is trying to do?

prasenforu · Answer 7 · Sat Aug 19 2017 08:45:15 GMT+0800 (China Standard Time)

OK, I will try with calico but please give me policy example in details also setup procedure in latest kubernetes using kubeadm.

Also need to understand how to peer with my network fabric and is there any challenges.

Erik Stidham · Answer 8 · Tue Aug 22 2017 22:57:25 GMT+0800 (China Standard Time)

Here are the docs for installing Calico on a K8s cluster created with kubeadm https://docs.projectcalico.org/v2.4/getting-started/kubernetes/installation/hosted/kubeadm/

Please review the tutorials on the Calico docs for help with creating the policies:

Here are the docs for peering the cluster with your network using BGP https://docs.projectcalico.org/v2.4/usage/configuration/bgp

prasenforu · Answer 9 · Tue Aug 22 2017 23:15:08 GMT+0800 (China Standard Time)

Today I am able setup Calico with kubeadm.

But facing issue to put proper policy.

I have 3 pod in test namespace.

1 mysql db pod
2 php-app1 pod which will connect external db and internal mysql pod also.
3 php-app2 pod which will connect external db and internal mysql pod also.

Looking for such policy which will do as follows,

All php-app pods should connect internal mysql pod.
But
Only php-app1 should connect external db

There should not any policy on internal mysql pod

prasenforu · Answer 10 · Wed Aug 23 2017 01:10:32 GMT+0800 (China Standard Time)

If I follow guideline in advance-policy Prevent outgoing connections from pods
Rule 400 & 500

Then problem internal communication with other pod.

Quick questions is that internal communications allways dns or ip ?

I am using ip but not able to communicate with db pod