Use ACK GlobalNetworkPolicy - Container Service for Kubernetes

A Kubernetes NetworkPolicy uses label selectors to define network policies at the pod level. ACK GlobalNetworkPolicy extends this functionality to the cluster level, allowing you to manage network policies for an entire cluster. This topic describes how to use an ACK GlobalNetworkPolicy to implement granular network security policies for your cluster.

Prerequisites

An ACK Pro managed cluster that uses the Terway network plugin is created. For more information, see Create an ACK managed cluster.
The Terway network plugin is version 1.9.4 or later, and the NetworkPolicy feature is enabled. For more information, see Enable network policies.
You have obtained the KubeConfig file for the cluster and are connected to the cluster using kubectl.
The nodes must run the Terway network plugin. Nodes in exclusive Elastic Network Interface (ENI) mode, virtual nodes, hybrid cloud nodes, or other non-Alibaba Cloud nodes are not supported.

Step 1: Install the Poseidon component

Poseidon is a container network policy component that supports the standard Kubernetes NetworkPolicy feature.

Install version 0.5.1 or later of the Poseidon component and enable the ACK NetworkPolicy feature.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the one you want to manage and click its name. In the left navigation pane, click Add-ons.
On the Add-ons page, click the Networking tab. In the lower-right corner of the Poseidon component card, click Install.
In the Install Poseidon dialog box, select Enable ACK NetworkPolicy and then click OK.

Step 2: Use ACK GlobalNetworkPolicy

The definition and usage of an ACK GlobalNetworkPolicy are similar to those of a Kubernetes NetworkPolicy. By default, its rules apply to all nodes and pods in the cluster unless specified otherwise.

Syntax

The basic structure of an ACK GlobalNetworkPolicy is as follows:

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy
metadata:
  name: example
spec:
  podSelector:      # Pods to which the policy applies. Default: all pods.
    matchLabels:
      foo: bar      # Selects pods with the label foo:bar.
  namespaceSelector:   # Namespaces to which the policy applies. Default: all namespaces. This rule and podSelector are evaluated using an AND operator.
    matchLabels:
      foo: bar      # Selects namespaces with the label foo:bar.
  policyTypes:      # The types of traffic to which the policy applies.
    - Ingress       # Applies to inbound traffic.
    - Egress        # Applies to outbound traffic.
  ingress: []       # Ingress rules.
  egress: []        # Egress rules.

Limits

The following limits apply to rules in a single cluster:

The number of GlobalNetworkPolicy resources must be less than 100.
The number of ingress and egress rules in a single GlobalNetworkPolicy must be less than 20.
The number of ports in a single ingress or egress rule must be less than 10.

Ingress and egress rules

The ingress and egress rules define the allowed traffic sources and destinations for the NetworkPolicy. Both rule types have the same structure. They use from (for ingress) and to (for egress) to specify the allowed communication scope.

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy
metadata:
  name: example                          # Policy Name
spec:
  podSelector: {}                       
  namespaceSelector: null                     
  policyTypes:
    - Ingress                            # The policy includes ingress rules.
    - Egress                             # The policy includes egress rules.
  ingress:
    - from:
        - namespaceSelector:             # Allows inbound traffic from pods in namespaces with matching labels.
            matchLabels:
              foo: bar
          podSelector:                   # Allows inbound traffic from pods with matching labels.
            matchLabels:
              foo: bar
        ports:
          - protocol: TCP                # Allows TCP traffic. Valid values are TCP and UDP.
            port: 443                    # Allows traffic on port 443.
    - from:
        - ipBlock:                       # Defines the CIDR range from which inbound requests from outside the cluster are allowed.
            cidr: "172.16.0.0/16"
            except:
              - "172.16.1.0/24"          # Excludes the CIDR range "172.16.1.0/24" from the allowed inbound sources outside the cluster.
  egress:
    - to:
        - namespaceSelector:             # Allows outbound traffic to pods in namespaces with matching labels.
            matchLabels:
              foo: bar
          podSelector:                   # Allows outbound traffic to pods with matching labels.
            matchLabels:
              foo: bar
    - to:
        - ipBlock:                       # Defines the CIDR range to which outbound traffic to destinations outside the cluster is allowed.
            cidr: "172.16.0.0/16"
            except:
              - "172.16.1.0/24"          # Excludes the CIDR range "172.16.1.0/24" from the allowed outbound destinations outside the cluster.

Field	Description
ipBlock	A static CIDR block that describes traffic addresses outside the cluster. This block defines which IP address ranges outside the cluster are allowed to send traffic to or receive traffic from pods inside the cluster.
podSelector	Dynamically selects addresses using labels. This is used to describe the addresses of pods within the cluster.

You cannot use ipBlock with podSelector or namespaceSelector in the same rule. Separate ipBlock and podSelector into different rules, as shown in the following example:

ingress:
  - from:
      - ipBlock:               # The first source condition is ipBlock.
          cidr: "192.168.0.0/16"
      - podSelector:           # The second source condition is podSelector.
          matchLabels:
            key: value
    ports:
      - protocol: TCP
        port: 80

The following is an incorrect example because the fields are mutually exclusive.

Incorrect example:

ingress:
  - from:
      - ipBlock:                  # CIDR range definition.
          cidr: "192.168.0.0/16"
        podSelector:              # Error: Cannot be used with ipBlock in the same entry.
          matchLabels:
            key: value
    ports:
      - protocol: TCP
        port: 443

Usage examples

The examples in this topic include a podSelector configuration. You can adjust the configuration as needed.

Important

Exercise caution when you configure a GlobalNetworkPolicy. If you do not specify the podSelector or namespaceSelector field, the policy applies to all pods in the cluster.

Deny all traffic for a specific application pod

The following YAML file defines a GlobalNetworkPolicy that applies only to pods with the label foo: bar. This policy denies all inbound and outbound network traffic for these pods.

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector:
    matchLabels:
      foo: bar
  namespaceSelector: null
  policyTypes:
    - Ingress
    - Egress
  ingress: []
  egress: []

Allow a specific application pod to access DNS

The following YAML file defines a GlobalNetworkPolicy that applies only to pods with the label foo: bar. This policy allows these pods to communicate with the DNS service that runs in the cluster.

apiVersion: network.alibabacloud.com/v1beta2
kind: GlobalNetworkPolicy                     
metadata:
  name: allow-dns                            
spec:
  podSelector:                                
    matchLabels:
      foo: bar                                
  namespaceSelector: null                 
  policyTypes:                                
    - Egress
  egress:                                     
    - to:                                 
        - namespaceSelector:              
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns