Anirban Sen Chowdhary

Calico which is a open source project is a new approach to enables networking and network policy in Kubernetes clusters across the cloud. Calico works on all major public cloud providers and private cloud as well. Calico uses a pure IP networking fabric that provide high performance networking, and its battle-tested policy engine enforces high-level, intent-focused network policy.

This slides will guide you to configure a Kubernetes cluster configured with Calico networking; all you need is you have kubectl configured to interact with the cluster.

After your Kubernetes is started and ready the first step is to install Project Calico using kubectl: kubectl apply -f https://docs.projectcalico.org/v2.4/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.6/calico.yaml

As you can see the following:

We will deploy pods in a Kubernetes Namespaces.Now, we need to create a namespace Object to launch applications in.We can do this using kubectl create followed by ns for namespace, and then the name of our namespace, like so: kubectl create ns policy-demo

As you can see the following namespace created:

Now let's create some nginx demo pods in the policy-demo namespace by using the kubectl run command : # Run the Pods.

kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx

As you can see the following "nginx" created:

And then expose the pods through a service using the kubectl expose command: # Create the Service.

kubectl expose --namespace=policy-demo deployment nginx --port=80

As you can see the following "nginx" exposed:

We will now apply our pod.yaml file.To apply the pod, we'll once again use kubectl create, but this time with the -f flag: kubectl create -f pod.yaml

As you can see the following :

Once the pod.yaml file is applied, we should be able to access the pod and receive back the nginx welcome page using the following command: kubectl exec -n policy-demo client -- wget -T 2 -q nginx -O -

As you can see the following :

Next, we need to annotate the policy-demo namespace to deny all incoming (ingress) traffic using the kubectl annotate command: kubectl annotate ns policy-demo "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"

As you can see Calico will then prevent connections to pods in this Namespace and turn on isolation :

Now, remote access to this pod should be unavailable, and we should receive a timeout warning. kubectl exec -n policy-demo client -- wget -q nginx -T 2 -O -

We can see below :

Next, we'll allow access to the pod by applying the network-policy.yaml fileApply the network-policy.yaml file using the kubectl create command with the -f flag:

kubectl create -f network-policy.yaml

We can see below :

Now, using our network-policy.yaml file that we just applied, this should be allowing incoming traffic to pods running nginx. We can test this using the following command:

kubectl exec -n policy-demo client -- wget -q nginx -T 2 -O -

We can see below this will allow incoming connections from our Pod:

Now, we can say that we have now installed Project Calico, deployed a couple pods, isolated the pods by default, and then applied policies to enable access to pods running nginx.

We can see below this if we use the following commands:

kubectl get pods --all-namespaces