This post is to introduce networking inside the Kubernetes cluster at the pod level. There may be questions about why as application developers we need to worry about networking inside the Kubernetes cluster?
It depends on how the Kubernetes cluster is planned in the organization. If we are lucky our project may be getting its own Kubernetes cluster. But often we ended up as a tenant inside another Kubernetes cluster. Our application may need to access a public API URL, if we set the networking rules at the cluster level, all the applications inside the cluster will get access. Organizations generally prefer something other than that. Also, we don't want some other application in the cluster accessing our database, Redis cache, etc... even if they have the credentials.
Hence we will end up dealing with the network policies at the pod level
Theory
Kubernetes defines networking policies as resource natively. But it doesn't have a built-in mechanism to enforce the networking rules.
For that, we need to use one of the network plugins. For more theory please read the docs. Now let us come to some practicals
Azure NPM v/s Calico
Since we are going to use Azure Kubernetes Service, we can focus on 2 plugins. Those are kinda natively supported by AKS. One is Azure NPM (Network Policy Manager) and the other is Calico.
Though we may tend to think the Azure NPM is fully implemented in AKS as both start with Azure, the reality is otherwise. As of writing this post, the calico has better support including Windows Server 2019 in AKS. Some of the features of Azure NPM are still in preview. See the comparison of Azure NPM v/s Calico for more details.
As the title of the post shows we are going to use Calico.
Installation of Calico on AKS
As per calico documentation, there is a way to install calico on an existing AKS cluster. But when I followed it was not working efficiently.
So better enable Calico when we create the AKS cluster.
How the network policy looks like
The networking feels alien to at least some developers. It requires knowledge about IP addresses and notations, complex network setup screens or commands, etc. But don't worry the networking can be set up via YAML files.
If YAML feels alien to a developer nowadays he should rethink being a developer.
Sample
Enough theory. Please clone the below repo and check out how the networking policies can be applied.
Step-by-step details are not going to be added here as that sample will get more scenarios in the future.
All are welcome to give PRs or add issues to the repo.
No comments:
Post a Comment