Lab 02: Network Policies in OKS
Lab Objectives
Section intitulée « Lab Objectives »- Learn how to test and implement Network Policies on an OKS cluster
Prerequisites
Section intitulée « Prerequisites »- A running Kubernetes cluster provided by OKS.
- Access to the
kubectlCLI. - Administrator privileges on the cluster.
Retrieve the kubeconfig file
Section intitulée « Retrieve the kubeconfig file »oks-cli cluster kubeconfig --cluster-name my-cluster --project-name my-project > kubeconfig.yamlexport KUBECONFIG=./kubeconfig.yamlTest the cluster
Section intitulée « Test the cluster »kubectl get nodesDeploy a test environment
Section intitulée « Deploy a test environment »Create a dedicated namespace:
kubectl create namespace test-network-policyDeploy frontend and backend applications
Section intitulée « Deploy frontend and backend applications »Create a deployments.yaml file:
---apiVersion: apps/v1kind: Deploymentmetadata: name: frontend namespace: test-network-policy labels: app: frontendspec: replicas: 1 selector: matchLabels: app: frontend template: metadata: labels: app: frontend spec: containers: - name: frontend image: nginx ports: - containerPort: 80---apiVersion: apps/v1kind: Deploymentmetadata: name: backend namespace: test-network-policy labels: app: backendspec: replicas: 1 selector: matchLabels: app: backend template: metadata: labels: app: backend spec: containers: - name: backend image: hashicorp/http-echo args: - "-text=Hello from Backend" ports: - containerPort: 80Apply the deployment:
kubectl apply -f deployments.yamlCreate a service to expose the backend
Section intitulée « Create a service to expose the backend »Create a backend-svc.yaml file:
---apiVersion: v1kind: Servicemetadata: name: backend namespace: test-network-policyspec: selector: app: backend ports: - protocol: TCP port: 80 targetPort: 80 # find the correct port using kubectl logs podsApply the service:
kubectl apply -f backend-svc.yamlVerify created resources:
kubectl get pods,svc -n test-network-policyTest connectivity without Network Policy
Section intitulée « Test connectivity without Network Policy »Run this command from the frontend:
kubectl exec -it deployment/frontend -n test-network-policy -- curl -m 5 backend.test-network-policy.svc.cluster.local:80Apply a restrictive Network Policy
Section intitulée « Apply a restrictive Network Policy »Create a deny-all.yaml file:
---apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-all namespace: test-network-policyspec: podSelector: matchLabels: app: backend policyTypes: - Ingress ingress: []Apply the rule:
kubectl apply -f deny-all.yamlTest the connection again:
kubectl exec -it deployment/frontend -n test-network-policy -- curl -m 5 backend.test-network-policy.svc.cluster.local:80❌ Expected: connection is blocked (timeout or connection refused).
Allow only frontend to access backend
Section intitulée « Allow only frontend to access backend »Create an allow-frontend.yaml file:
---apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: allow-frontend namespace: test-network-policyspec: podSelector: matchLabels: app: backend policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 80Apply the rule:
kubectl apply -f allow-frontend.yamlTest again:
kubectl exec -it deployment/frontend -n test-network-policy -- curl -m 5 backend.test-network-policy.svc.cluster.local:80✅ Expected: connection is allowed.
Test with another pod (should be blocked):
kubectl run busybox --rm -it --image=busybox --restart=Never -- /bin/shwget backend.test-network-policy.svc.cluster.local:80❌ Expected: connection refused.
Delete the Network Policies:
kubectl delete networkpolicy deny-all allow-frontend -n test-network-policyDelete created resources:
kubectl delete namespace test-network-policyConclusion
Section intitulée « Conclusion »- Without Network Policy, all pods can communicate.
- With
deny-all, everything is blocked. - With
allow-frontend, only frontend can access backend. - Testing with another pod confirms that access is restricted.