Example: Installing Calico and Setting Up Network Policies

The Kubernetes networking model assumes containers (pods) have unique and routable IP addresses within a cluster. In the Kubernetes networking model, containers communicate with each other using those IP addresses, regardless of whether the containers are deployed on the same node in a cluster or on a different node. The Container Networking Interface (CNI) is the API that enables containers to communicate with the network using IP addresses.

By default, pods accept traffic from any source. To enhance cluster security, pods can be 'isolated' by selecting them in a network policy (the Kubernetes NetworkPolicy resource). A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and to define rules that specify what traffic is allowed to the selected pods. If a NetworkPolicy in a cluster namespace selects a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. Other pods in the namespace that are not selected by a NetworkPolicy will continue to accept all traffic. For more information about network policies, see the Kubernetes documentation.

Network policies are implemented by the CNI network provider. Simply creating the NetworkPolicy resource without a CNI network provider to implement it will have no effect. Note that not all CNI network providers implement the NetworkPolicy resource.

Clusters you create with Container Engine for Kubernetes have flannel installed as the default CNI network provider. flannel is a simple overlay virtual network that satisfies the requirements of the Kubernetes networking model by attaching IP addresses to containers. For more information about flannel, see the flannel documentation.

Although flannel satisfies the requirements of the Kubernetes networking model, it does not support NetworkPolicy resources. If you want to enhance the security of clusters you create with Container Engine for Kubernetes by implementing network policies, you have to install and configure a network provider that does support NetworkPolicy resources. One such provider is Calico (refer to the Kubernetes documentation for a list of other network providers). Calico is an open source networking and network security solution for containers, virtual machines, and native host-based workloads. For more information about Calico, see the Calico documentation.

You can manually install Calico alongside flannel in clusters you have created using Container Engine for Kubernetes.

Installing Calico manually

Having created a cluster using Container Engine for Kubernetes (using either the Console or the API), you can subsequently install Calico on the cluster (alongside flannel) to support network policies.

For convenience, Calico installation instructions are included below, based on Calico version 3.10. Note that Calico installation instructions vary between Calico versions. For information about installing different versions of Calico, always refer to the Calico documentation for installing Calico for network policy enforcement only.

  1. If you haven't already done so, follow the steps to set up the cluster's kubeconfig configuration file and (if necessary) set the KUBECONFIG environment variable to point to the file. Note that you must set up your own kubeconfig file. You cannot access a cluster using a kubeconfig file that a different user set up. See Setting Up Cluster Access.
  2. In a terminal window, download the Calico policy-only manifest for the Kubernetes API datastore by entering:

    $ curl https://docs.projectcalico.org/v3.10/manifests/calico-policy-only.yaml -o calico.yaml

    Note that the url differs, according to the version of Calico that you want to install. Refer to the Calico documentation for instructions to install a particular version of Calico.

  3. The calico.yaml file includes multiple references to the pod CIDR block value. In the downloaded calico.yaml file, the pod CIDR block value is initially set to 192.168.0.0/16. If the pod CIDR block value of the cluster created by Container Engine for Kubernetes is 192.168.0.0/16, skip this step. However, if the pod CIDR block value of the cluster created by Container Engine for Kubernetes is a different value (such as the default value of 10.244.0.0/16), you have to change the initial value in the calico.yaml file. The steps below show one way to do that:

    1. Set the value of an environment variable to the pod CIDR block value. For example, by entering a command like:

      $ export POD_CIDR="10.244.0.0/16"
    2. Replace the default value 192.168.0.0/16 in the calico.yaml file with the actual pod CIDR block value of the cluster created by Container Engine for Kubernetes. For example, by entering a command like:

      $ sed -i -e "s?192.168.0.0/16?$POD_CIDR?g" calico.yaml
  4. The calico.yaml file defines a deployment named calico-typha, which has a replica count of 1 by default. You might want to consider changing this default replica count for large clusters or production environments. Calico recommends:

    • At least one replica for every 200 nodes, up to a maximum of 20.
    • A minimum of three replicas in production environments to reduce the impact of rolling upgrades and failures (the number of replicas should always be less than the number of nodes, otherwise rolling upgrades will stall).

    To change the replica count, open the calico.yaml file in a text editor and change the value of the replicas setting:

    
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: calico-typha
      ...
    spec:
      ...
      replicas: <number-of-replicas>

    Note that the way to set the replica count differs, according to the Calico version you've installed. Refer to the Calico documentation to find out how to set the replica count for the version you've installed.

  5. Install and configure Calico by entering the following command:

    $ kubectl apply -f calico.yaml

Setting up Network Policies

Having installed Calico on a cluster you've created with Container Engine for Kubernetes, you can create Kubernetes NetworkPolicy resources to isolate pods as required.

For NetworkPolicy examples and how to use them, see the Calico documentation and specifically:

Note that the examples vary, according to the Calico version you've installed.