This topic explains how to use Kubernetes network policies to secure Cassandra and Redis pods within an Apigee Hybrid Cluster .
Overview
When you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you can use Kubernetes Network Policies for applications in your cluster. Network Policies are an application-centric construct you can use to specify how a pod is allowed to communicate with other pods in your cluster.
In Apigee hybrid you can use Kubernetes Network Policies to isolate Cassandra pods so that only pods that are intended to communicate with Cassandra are allowed to, such as the Runtime, Synchronizer, and Mart pods. Other pods in the cluster like Ingres and Watcher pods that do not need to communicate with Cassandra are blocked from doing so.
If you have no restrictions on which pods can interact within your cluster, you do not need to use Kubernetes network policies.
Prerequisites
-
Enable network policies in your cluster.
- GKE: See Enabling network policy enforcement.
- EKS: See Installing the Calico network policy engine add-on.
- AKS: See Secure traffic between pods using network policies in Azure Kubernetes Service (AKS) .
- Other platforms: look for instructions to enable network policies on your cluster from your specific platform vendor.
- A currently running Apigee hybrid cluster, version 1.8 or newer.
Procedure
If you are running hybrid version 1.8.x, download and extract the newest Apigee release package.
Linux
curl -LO \ https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.9.4/apigeectl_linux_64.tar.gz
Mac OS
curl -LO \ https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.9.4/apigeectl_mac_64.tar.gz
Windows
curl -LO ^ https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.9.4/apigeectl_windows_64.zip
The configuration files for the Kubernetes network policies for Cassandra and Redis are in the
following directory structure within your $APIGEECTL_HOME directory:
└── apigeectl
└── examples
└── network-policies
└── securing-cassandra-redis-pods
├── README.md
├── base
│ └── cluster-scoped-communication
│ ├── cassandra
│ │ ├── kustomization.yaml
│ │ ├── networkpolicy-cassandra-allow-controller.yaml
│ │ ├── networkpolicy-cassandra-allow-intranode.yaml
│ │ ├── networkpolicy-cassandra-allow-mart.yaml
│ │ ├── networkpolicy-cassandra-allow-runtime.yaml
│ │ ├── networkpolicy-cassandra-alow-sync.yaml
│ │ ├── networkpolicy-cassandra-create-user.yaml
│ │ ├── networkpolicy-cassandra-monitoring.yaml
│ │ └── networkpolicy-cassandra-remove-dc.yaml
│ └── redis
│ ├── kustomization.yaml
│ ├── networkpolicy-redis-envoy.yaml
│ └── networkpolicy-redis.yaml
└── overlays
└── ORG_NAME
└── kustomization.yaml
Where ORG_NAME is the name of your Apigee organization.
- Label the namespaces with the following command:
kubectl label namespace apigee app=apigee
kubectl label namespace apigee-system app=apigee-system - Apply the network policies with the following command:
kubectl apply -k ${APIGEECTL_HOME}/examples/network-policies/securing-cassandra-redis-pods/overlays/ORG_NAME - Validate that the network policies were applied with the following command:
kubectl get netpol -n apigee
The following network policies should be created in the
apigeenamespace:NAME POD-SELECTOR AGE cassandra-from-mart app=apigee-cassandra 4d5h cassandra-from-runtime app=apigee-cassandra 4d5h cassandra-from-sync app=apigee-cassandra 4d5h cassandra-to-cassandra app=apigee-cassandra 4d5h controller-to-cassandra app=apigee-cassandra 4d5h redis-from-redisenvoy app=apigee-redis 3d18h redisenvoy-from-runtime app=apigee-redis-envoy 3d18h