requires communication between different Kubernetes pods, DNS services, and the Kubernetes API server.
This topic describes how to configure Network Policies in Kubernetes clusters that use a Container Network Interface (CNI) type Network Plugin that is configured with restrictive policies. For more information on different types of policies see Network Policies in the Kubernetes documentation.
The following example yaml file shows a strict policy that is the recommended best-practice for some CNIs like Calico:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: MY-NAMESPACE
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
This policy denies ingress and egress for all pods in the namespace called MY-NAMESPACE
.
To successfully deploy VMware MySQL you need to allow communication between pods, Operator, API server and services. For details see Allowing Operator Communication and Allowing Instance Communication.
The Operator pods need to communicate with the Kubernetes service, in order to reconcile MySQL instances. This example shows how to amend a strict network policy to permit that communication.
Get the Cluster IP and the port number of the Kubernetes service, that will be used in the NetworkPolicy specification. Use the following command to display this information for the default
namespace:
$ kubectl get endpoints --namespace default kubernetes
NAME ENDPOINTS AGE
kubernetes 192.168.64.38:8443 42h
Where 192.168.64.38
is the IP address and 8443
the port number in the example scenario.
Using the IP address and port, create the following NetworkPolicy:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: operator-to-apiserver-egress
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: vmware-mysql-operator
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 192.168.64.38/32
ports:
- port: 8443
protocol: TCP
Apply the policy to your cluster, in the namespace that the Operator is deployed in:
$ kubectl apply -n OPERATOR-NAMESPACE -f sample-network-policy.yaml
networkpolicy.networking.k8s.io/operator-to-apiserver-egress created
To ensure that the database and operator pods can communicate for replication and failover, follow these steps:
Allow access to the DNS server for DNS lookup of the other pods’ addresses.
It is recommended to label the kube-system
namespace to easily use the namespaceSelector
section of the NetworkPolicy spec. For example:
$ kubectl label namespace kube-system networking/namespace=kube-system
namespace/kube-system labeled
The following NetworkPolicy allows all pods in NAMESPACE
access to the DNS server:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-access
spec:
podSelector:
matchLabels: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
networking/namespace: kube-system
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
Save this sample to a file, and apply it to your cluster:
$ kubectl apply -n INSTANCE-NAMESPACE -f dns-policy-sample.yaml
networkpolicy.networking.k8s.io/allow-dns-access created
Allow inter-MySQL cluster communication. The following NetworkPolicy allows the proxy and database pods to communicate (assuming the default MySQL port of 3306
).
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: proxy-to-service-ingress-egress
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: proxy
policyTypes:
- Egress
- Ingress
egress:
- to:
- ipBlock:
cidr: 192.168.64.28/32
ports:
- port: 8443
protocol: TCP
ingress:
- from:
- ipBlock:
cidr: 192.168.64.28/32
ports:
- port: 8443
protocol: TCP
Save this sample to a file, and apply it to your cluster:
$ kubectl apply -n INSTANCE-NAMESPACE -f proxy-database-ingress-egress.yaml
networkpolicy.networking.k8s.io/database-proxy-ingress-egress created
The MySQL monitor pod needs to communicate with the Kubernetes service to facilitate communication between the client and the database pods.
Use the following command to note the Cluster IP and the port number of the Kubernetes service:
$ kubectl get endpoints --namespace default kubernetes
NAME ENDPOINTS AGE
kubernetes 192.168.64.38:8443 42h
where 192.168.64.38
is the IP address and 8443
the port number that will be used to specify the NetworkPolicy for the service.
Using the IP address and port, create the following NetworkPolicy:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-proxy-ingress-egress
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: proxy
policyTypes:
- Ingress
- Egress
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/component: database
ports:
- port: 3306
protocol: TCP
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/component: database
ports:
- port: 3306
protocol: TCP
Save this sample to a file, and apply it to your cluster:
$ kubectl apply -n INSTANCE-NAMESPACE -f proxy-to-service-ingress-egress.yaml
networkpolicy.networking.k8s.io/proxy-to-service-ingress-egress created
where INSTANCE-NAMESPACE
is the MySQL instance namespace and proxy-to-service-ingress-egress.yaml
is your policy yaml.