Configuring Kubernetes network policies

This topic explains how to use Kubernetes network policies to secure Cassandra and Redis pods within an Apigee Hybrid Cluster .

Overview

When you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you can use Kubernetes Network Policies for applications in your cluster. Network Policies are an application-centric construct you can use to specify how a pod is allowed to communicate with other pods in your cluster.

In Apigee hybrid you can use Kubernetes Network Policies to isolate Cassandra pods so that only pods that are intended to communicate with Cassandra are allowed to, such as the Runtime, Synchronizer, and Mart pods. Other pods in the cluster like Ingres and Watcher pods that do not need to communicate with Cassandra are blocked from doing so.

If you have no restrictions on which pods can interact within your cluster, you do not need to use Kubernetes network policies.

Prerequisites

Procedure

Download and extract the apigeectl release package.

Linux

curl -LO \
  https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.11.2/apigeectl_linux_64.tar.gz

Mac OS

curl -LO \
  https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.11.2/apigeectl_mac_64.tar.gz

Windows

curl -LO ^
   https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.11.2/apigeectl_windows_64.zip

The configuration files for the Kubernetes network policies for Cassandra and Redis are in the following directory structure within the apigeectl directory:

  └── apigeectl
      └── examples
          └── network-policies
              └── securing-cassandra-redis-pods
                  ├── README.md
                  ├── base
                  │   └── cluster-scoped-communication
                  │       ├── cassandra
                  │       │   ├── kustomization.yaml
                  │       │   ├── networkpolicy-cassandra-allow-controller.yaml
                  │       │   ├── networkpolicy-cassandra-allow-intranode.yaml
                  │       │   ├── networkpolicy-cassandra-allow-mart.yaml
                  │       │   ├── networkpolicy-cassandra-allow-runtime.yaml
                  │       │   ├── networkpolicy-cassandra-alow-sync.yaml
                  │       │   ├── networkpolicy-cassandra-create-user.yaml
                  │       │   ├── networkpolicy-cassandra-monitoring.yaml
                  │       │   └── networkpolicy-cassandra-remove-dc.yaml
                  │       └── redis
                  │           ├── kustomization.yaml
                  │           ├── networkpolicy-redis-envoy.yaml
                  │           └── networkpolicy-redis.yaml
                  └── overlays
                      └── ORG_NAME
                          └── kustomization.yaml

Where ORG_NAME is the name of your Apigee organization.

  1. Label the namespace with the following command:
    kubectl label namespace APIGEE_NAMESPACE app=apigee
  2. Apply the network policies with the following command:
    kubectl apply -k ${APIGEECTL_HOME}/examples/network-policies/securing-cassandra-redis-pods/overlays/ORG_NAME
  3. Validate that the network policies were applied with the following command:
    kubectl get netpol -n APIGEE_NAMESPACE

    The following network policies should be created in the APIGEE_NAMESPACE namespace:

          NAME                        POD-SELECTOR              AGE
          cassandra-from-mart         app=apigee-cassandra      4d5h
          cassandra-from-runtime      app=apigee-cassandra      4d5h
          cassandra-from-sync         app=apigee-cassandra      4d5h
          cassandra-to-cassandra      app=apigee-cassandra      4d5h
          controller-to-cassandra     app=apigee-cassandra      4d5h
          redis-from-redisenvoy       app=apigee-redis          3d18h
          redisenvoy-from-runtime     app=apigee-redis-envoy    3d18h