0

I have a application running with kubernetes orchestrator. I want to implement calico network policy on the basis of CIDR so that I can control the pod's traffic (incoming and outgoing). I am looking for prerequisite installation (any plugin) and what changes (calico yaml file or manifest file) are required to achieve this.

Some explanation about steps that need to be implemented will be appreciated.

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
solveit
  • 869
  • 2
  • 12
  • 32

2 Answers2

1

well, prerequisites depend on whether you want to use plain Kubernetes NetworkPolicies or Calico NetworkPolicies.

You will need to have a CNI Plugin deployed which implements the NetworkPolicy Specification either way. Calicao supports plain NetPols as well as its own NetPol implementation.

  1. check your deployed CNI plugin
  2. check if your deployed CNI plugin implements network policies
  3. create NetworkPolicy kubernetes ressources and deploy them
meaningqo
  • 1,653
  • 10
  • 16
  • then check if there is no other cni plugin deployed. if there is remove it (k3s comes with traefik for cni functionality if i remember correclty) and then deploy calico cni plugin (https://docs.projectcalico.org/getting-started/kubernetes/self-managed-onprem/onpremises) and start creating your netpols :) – meaningqo Jun 22 '21 at 06:56
  • but how to control the incoming and outgoing traffic on the basis of domain ? Where I can find that ? – solveit Jun 23 '21 at 05:41
  • check the documentation here (https://kubernetes.io/docs/concepts/services-networking/network-policies/) there are examples with cidr which is what you wanted according to your question – meaningqo Jun 23 '21 at 06:33
  • This doc is of kubernetes network policy, will this be the same for calico net.pol. also ? I am looking for steps for calico net.poli through which I can control incoming and outgoing traffic on the basis of domain – solveit Jun 23 '21 at 08:11
1

By default as explained here K3s is running with flannel CNI, using VXLAN as default backend.

To change the CNI you need to run K3s with --flannel-backend=none. For more information please visit custom-CNI section of the docs.

Please note that besides calico you can run canal CNI which in fact is flannel with calico network policies available.

acid_fuji
  • 6,287
  • 7
  • 22