Durée estimée : 20 minutes
Objective: Implement a NetworkPolicy to restrict ingress traffic to a specific application Pod, allowing access only from Pods with a certain label within the same namespace.
Context: You have a backend application api-server that should only accept connections from frontend Pods labeled app=frontend.
Instructions:
app-space.app-space namespace, deploy a simple Nginx Pod named api-server with the label app=api,tier=backend. This will serve as your backend application.
/opt/cka_exercises/reseau/Ex1/pod-api-server.yaml and apply it.app-space namespace, deploy a BusyBox Pod named frontend-client with the label app=frontend,tier=frontend. This will be used to test connectivity.
sleep 3600)./opt/cka_exercises/reseau/Ex1/pod-frontend-client.yaml and apply it.app-space namespace, deploy another BusyBox Pod named other-client with the label app=legacy,tier=other. This will be used to test denied connectivity.
sleep 3600)./opt/cka_exercises/reseau/Ex1/pod-other-client.yaml and apply it.frontend-client and other-client can connect to the api-server Pod on port 80. For example, get the api-server Pod IP and use kubectl exec with wget from both client Pods.
api-server Pod IP in a file: /opt/cka_exercises/reseau/Ex1/api_server_ip.txt.frontend-client in /opt/cka_exercises/reseau/Ex1/frontend_wget_success_cmd.txt.other-client in /opt/cka_exercises/reseau/Ex1/other_wget_success_cmd.txt.api-ingress-policy in the app-space namespace.
app=api,tier=backend.app-space namespace that have the label app=frontend./opt/cka_exercises/reseau/Ex1/networkpolicy-api-ingress.yaml and apply it.frontend-client Pod should still be able to connect to api-server on port 80.other-client Pod should no longer be able to connect to api-server (the wget command should fail or timeout).frontend-client in /opt/cka_exercises/reseau/Ex1/frontend_wget_final_cmd.txt.other-client and its expected error (e.g. timeout) in /opt/cka_exercises/reseau/Ex1/other_wget_fail_cmd.txt.1. Création du Namespace :
kubectl create namespace app-space
mkdir -p /opt/cka_exercises/reseau/Ex1
2. Déploiement du Pod api-server:
Fichier /opt/cka_exercises/reseau/Ex1/pod-api-server.yaml:
apiVersion: v1
kind: Pod
metadata:
name: api-server
namespace: app-space
labels:
app: api
tier: backend
spec:
containers:
- name: nginx
image: nginx:1.27
ports:
- containerPort: 80
Appliquez-le :
kubectl apply -f /opt/cka_exercises/reseau/Ex1/pod-api-server.yaml
3. Déploiement du Pod frontend-client:
Fichier /opt/cka_exercises/reseau/Ex1/pod-frontend-client.yaml:
apiVersion: v1
kind: Pod
metadata:
name: frontend-client
namespace: app-space
labels:
app: frontend
tier: frontend
spec:
containers:
- name: busybox
image: busybox:1.36
command: ["sh", "-c", "sleep 3600"]
Appliquez-le :
kubectl apply -f /opt/cka_exercises/reseau/Ex1/pod-frontend-client.yaml
4. Déploiement du Pod other-client:
Fichier /opt/cka_exercises/reseau/Ex1/pod-other-client.yaml:
apiVersion: v1
kind: Pod
metadata:
name: other-client
namespace: app-space
labels:
app: legacy
tier: other
spec:
containers:
- name: busybox
image: busybox:1.36
command: ["sh", "-c", "sleep 3600"]
Appliquez-le :
kubectl apply -f /opt/cka_exercises/reseau/Ex1/pod-other-client.yaml
5. Vérification initiale de la connectivité :
Attendez que tous les Pods soient Running.
# kubectl get pods -n app-space -w
API_SERVER_IP=$(kubectl get pod api-server -n app-space -o jsonpath='{.status.podIP}')
echo $API_SERVER_IP > /opt/cka_exercises/reseau/Ex1/api_server_ip.txt
FRONTEND_CMD="kubectl exec -n app-space frontend-client -- wget -qO- $API_SERVER_IP"
echo "$FRONTEND_CMD # Expect: Welcome to nginx!" > /opt/cka_exercises/reseau/Ex1/frontend_wget_success_cmd.txt
# $FRONTEND_CMD # Exécutez pour vérifier
OTHER_CMD="kubectl exec -n app-space other-client -- wget -qO- $API_SERVER_IP"
echo "$OTHER_CMD # Expect: Welcome to nginx!" > /opt/cka_exercises/reseau/Ex1/other_wget_success_cmd.txt
# $OTHER_CMD # Exécutez pour vérifier
6. Création de la NetworkPolicy api-ingress-policy:
Fichier /opt/cka_exercises/reseau/Ex1/networkpolicy-api-ingress.yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-ingress-policy
namespace: app-space
spec:
podSelector:
matchLabels:
app: api
tier: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 80
Appliquez-la :
kubectl apply -f /opt/cka_exercises/reseau/Ex1/networkpolicy-api-ingress.yaml
7. Vérification finale de la connectivité :
Laissez quelques secondes pour que la politique soit appliquée.
API_SERVER_IP=$(cat /opt/cka_exercises/reseau/Ex1/api_server_ip.txt)
FRONTEND_CMD_FINAL="kubectl exec -n app-space frontend-client -- wget -qO- $API_SERVER_IP"
echo "$FRONTEND_CMD_FINAL # Expect: Welcome to nginx!" > /opt/cka_exercises/reseau/Ex1/frontend_wget_final_cmd.txt
# $FRONTEND_CMD_FINAL # Exécutez pour vérifier, devrait réussir.
OTHER_CMD_FAIL="kubectl exec -n app-space other-client -- wget -qO- $API_SERVER_IP"
echo "$OTHER_CMD_FAIL # Expect: Command fails or times out (exit code non-zero)" > /opt/cka_exercises/reseau/Ex1/other_wget_fail_cmd.txt
# $OTHER_CMD_FAIL # Exécutez pour vérifier, devrait échouer.
# Pour vérifier l'échec: $OTHER_CMD_FAIL > /dev/null; echo $?
Commandes de Nettoyage :
kubectl delete namespace app-space
rm -rf /opt/cka_exercises/reseau/Ex1
Durée estimée : 40 minutes
Objective: Create NetworkPolicies to control egress traffic from a specific application and to isolate a namespace by default, then selectively allow required egress and ingress. Troubleshoot a misconfigured policy.
Context: You have a database Pod in a db-secure namespace. This Pod should only be allowed to make egress connections to a backup-service Pod within the same namespace on a specific port. All other egress from database should be denied. Additionally, the db-secure namespace should have a default deny policy for all ingress and egress, with specific exceptions.
Instructions:
db-secure.db-secure, deploy a Pod named database-pod with label app=db.
busybox:1.36 with command sleep 3600./opt/cka_exercises/reseau/Ex2/pod-database.yaml.db-secure, deploy another Pod named backup-service with label app=backup.
nginx:1.27 (simulating a service listening on port 80)./opt/cka_exercises/reseau/Ex2/pod-backup-service.yaml.db-secure, deploy a Pod named external-service-sim with label app=external.
nginx:1.27./opt/cka_exercises/reseau/Ex2/pod-external-sim.yaml.db-secure namespace named default-deny.
/opt/cka_exercises/reseau/Ex2/networkpolicy-default-deny.yaml.database-pod to backup-service (port 80) and to external-service-sim (port 80). Both should fail.
backup-service and external-service-sim into /opt/cka_exercises/reseau/Ex2/service_ips.txt.database-pod to backup-service in /opt/cka_exercises/reseau/Ex2/wget_to_backup_fail1.txt.allow-db-to-backup in db-secure.
app=db-wrong-label (instead of app=db).app=backup on TCP port 80./opt/cka_exercises/reseau/Ex2/networkpolicy-allow-db-to-backup-misconfigured.yaml.allow-backup-ingress in db-secure.
app=backup.app=db on TCP port 80./opt/cka_exercises/reseau/Ex2/networkpolicy-allow-backup-ingress.yaml.database-pod to backup-service on port 80. It will likely fail due to the misconfigured egress policy.
default-deny policy, the allow-db-to-backup policy (noticing the wrong podSelector), and the allow-backup-ingress policy./opt/cka_exercises/reseau/Ex2/troubleshooting_steps.txt.networkpolicy-allow-db-to-backup-misconfigured.yaml to correctly select Pods labeled app=db. Rename it to networkpolicy-allow-db-to-backup-corrected.yaml and apply it (or edit the existing one in the cluster).database-pod to backup-service on port 80: This should now succeed.database-pod to external-service-sim on port 80: This should still fail.database-pod to backup-service in /opt/cka_exercises/reseau/Ex2/wget_to_backup_success.txt.database-pod to external-service-sim in /opt/cka_exercises/reseau/Ex2/wget_to_external_fail.txt.1. Création du Namespace :
kubectl create namespace db-secure
mkdir -p /opt/cka_exercises/reseau/Ex2
2. Déploiement du Pod database-pod:
Fichier /opt/cka_exercises/reseau/Ex2/pod-database.yaml:
apiVersion: v1
kind: Pod
metadata:
name: database-pod
namespace: db-secure
labels:
app: db
spec:
containers:
- name: busybox
image: busybox:1.36
command: ["sh", "-c", "sleep 3600"]
Appliquez-le :
kubectl apply -f /opt/cka_exercises/reseau/Ex2/pod-database.yaml
3. Déploiement du Pod backup-service:
Fichier /opt/cka_exercises/reseau/Ex2/pod-backup-service.yaml:
apiVersion: v1
kind: Pod
metadata:
name: backup-service
namespace: db-secure
labels:
app: backup
spec:
containers:
- name: nginx
image: nginx:1.27
ports:
- containerPort: 80
Appliquez-le :
kubectl apply -f /opt/cka_exercises/reseau/Ex2/pod-backup-service.yaml
4. Déploiement du Pod external-service-sim:
Fichier /opt/cka_exercises/reseau/Ex2/pod-external-sim.yaml:
apiVersion: v1
kind: Pod
metadata:
name: external-service-sim
namespace: db-secure
labels:
app: external
spec:
containers:
- name: nginx
image: nginx:1.27
ports:
- containerPort: 80
Appliquez-le :
kubectl apply -f /opt/cka_exercises/reseau/Ex2/pod-external-sim.yaml
5. Création de la NetworkPolicy default-deny:
Fichier /opt/cka_exercises/reseau/Ex2/networkpolicy-default-deny.yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: db-secure
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Appliquez-la :
kubectl apply -f /opt/cka_exercises/reseau/Ex2/networkpolicy-default-deny.yaml
6. Test initial de connectivité (devrait échouer) :
Attendez que les Pods soient Running et la policy appliquée.
# kubectl get pods -n db-secure -w
BACKUP_IP=$(kubectl get pod backup-service -n db-secure -o jsonpath='{.status.podIP}')
EXTERNAL_IP=$(kubectl get pod external-service-sim -n db-secure -o jsonpath='{.status.podIP}')
echo "BACKUP_IP=$BACKUP_IP" > /opt/cka_exercises/reseau/Ex2/service_ips.txt
echo "EXTERNAL_IP=$EXTERNAL_IP" >> /opt/cka_exercises/reseau/Ex2/service_ips.txt
CMD_TO_BACKUP_FAIL1="kubectl exec -n db-secure database-pod -- wget -qO- --timeout=2 -T 2 $BACKUP_IP"
echo "$CMD_TO_BACKUP_FAIL1 # Expect: Fails" > /opt/cka_exercises/reseau/Ex2/wget_to_backup_fail1.txt
# $CMD_TO_BACKUP_FAIL1 > /dev/null; echo $? # Vérifiez le code de sortie non-nul
7. Création de la NetworkPolicy allow-db-to-backup (intentionnellement mal configurée) :
Fichier /opt/cka_exercises/reseau/Ex2/networkpolicy-allow-db-to-backup-misconfigured.yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-db-to-backup
namespace: db-secure
spec:
podSelector:
matchLabels:
app: db-wrong-label # <- ERREUR ICI pour le test de dépannage
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: backup
ports:
- protocol: TCP
port: 80
Appliquez-la :
kubectl apply -f /opt/cka_exercises/reseau/Ex2/networkpolicy-allow-db-to-backup-misconfigured.yaml
8. Création de la NetworkPolicy allow-backup-ingress (Ingress pour Backup) :
Fichier /opt/cka_exercises/reseau/Ex2/networkpolicy-allow-backup-ingress.yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-backup-ingress
namespace: db-secure
spec:
podSelector:
matchLabels:
app: backup
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: db
ports:
- protocol: TCP
port: 80
Appliquez-la :
kubectl apply -f /opt/cka_exercises/reseau/Ex2/networkpolicy-allow-backup-ingress.yaml
9. Dépannage de la connectivité :
Le test de database-pod vers backup-service devrait échouer.
Fichier /opt/cka_exercises/reseau/Ex2/troubleshooting_steps.txt:
La connexion de database-pod à backup-service échoue. Étapes de diagnostic :
1. **Vérifier la policy `default-deny`**:
`kubectl describe networkpolicy default-deny -n db-secure`
Confirmer qu'elle s'applique à tous les pods (`podSelector: {}`) et bloque tout ingress/egress par défaut. C'est le cas.
2. **Vérifier la policy d'egress `allow-db-to-backup` pour `database-pod`**:
`kubectl describe networkpolicy allow-db-to-backup -n db-secure`
Examiner `spec.podSelector`. On s'attend à ce qu'elle cible `app=db` pour s'appliquer à `database-pod`.
*Observation* : Le `podSelector` est `app=db-wrong-label`. Le pod `database-pod` (qui a le label `app=db`) n'est donc PAS sélectionné par cette policy d'egress. Par conséquent, c'est la policy `default-deny` qui s'applique à son egress, bloquant toute sortie.
3. **Vérifier la policy d'ingress `allow-backup-ingress` pour `backup-service`**:
`kubectl describe networkpolicy allow-backup-ingress -n db-secure`
Examiner `spec.podSelector` (devrait être `app=backup`) et `spec.ingress.from.podSelector` (devrait être `app=db`). Cette policy semble correcte pour autoriser l'ingress depuis `database-pod` vers `backup-service` si `database-pod` était autorisé à émettre.
Conclusion du diagnostic : Le problème principal est que la policy `allow-db-to-backup` ne sélectionne pas le pod `database-pod` à cause d'un `podSelector` incorrect (`app=db-wrong-label` au lieu de `app=db`).
10. Correction de la NetworkPolicy d'Egress :
Modifiez networkpolicy-allow-db-to-backup-misconfigured.yaml pour que spec.podSelector.matchLabels.app soit db.
Sauvegardez sous /opt/cka_exercises/reseau/Ex2/networkpolicy-allow-db-to-backup-corrected.yaml (ou éditez directement la policy en place avec kubectl edit networkpolicy allow-db-to-backup -n db-secure).
Fichier /opt/cka_exercises/reseau/Ex2/networkpolicy-allow-db-to-backup-corrected.yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-db-to-backup # Garder le même nom pour mettre à jour
namespace: db-secure
spec:
podSelector:
matchLabels:
app: db # <- CORRIGÉ
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: backup
ports:
- protocol: TCP
port: 80
Appliquez la version corrigée :
kubectl apply -f /opt/cka_exercises/reseau/Ex2/networkpolicy-allow-db-to-backup-corrected.yaml
11. Retest de la connectivité :
Laissez quelques secondes pour que la politique soit appliquée.
BACKUP_IP=$(kubectl get pod backup-service -n db-secure -o jsonpath='{.status.podIP}')
EXTERNAL_IP=$(kubectl get pod external-service-sim -n db-secure -o jsonpath='{.status.podIP}')
CMD_TO_BACKUP_SUCCESS="kubectl exec -n db-secure database-pod -- wget -qO- --timeout=2 -T 2 $BACKUP_IP"
echo "$CMD_TO_BACKUP_SUCCESS # Expect: Welcome to nginx!" > /opt/cka_exercises/reseau/Ex2/wget_to_backup_success.txt
# $CMD_TO_BACKUP_SUCCESS # Devrait réussir
CMD_TO_EXTERNAL_FAIL="kubectl exec -n db-secure database-pod -- wget -qO- --timeout=2 -T 2 $EXTERNAL_IP"
echo "$CMD_TO_EXTERNAL_FAIL # Expect: Fails" > /opt/cka_exercises/reseau/Ex2/wget_to_external_fail.txt
# $CMD_TO_EXTERNAL_FAIL > /dev/null; echo $? # Devrait échouer (code 1)
Commandes de Nettoyage :
kubectl delete namespace db-secure
rm -rf /opt/cka_exercises/reseau/Ex2