Last Updated on June 11, 2024
Quick Summary
This blog covers a step-by-step guide on implementing network policies in GKE with Calico. It covers prerequisites, GCP authentication, accessing the GKE cluster, validating Calico, installing Calicoctl, and applying network policies.
Table of Contents
Introduction
Managing network security within a Kubernetes cluster is essential for safeguarding sensitive data and ensuring smooth operations. Network policies serve as the backbone of this security framework, allowing administrators to control how pods communicate with each other. In Google Kubernetes Engine (GKE), Calico (an open-source networking and network security solution) provides solid support for implementing these network policies effectively. In this hands-on tutorial, we’ll explore how to set up and configure network policies in GKE with Calicoto to enhance the security of your cluster.
Understanding Network Policies
Network policies act as traffic rules within a Kubernetes cluster; by defining these policies, administrators can enforce strict controls over network traffic, ensuring data integrity.
Moreover, using network policies simplifies managing data hosting for different user groups in your app infrastructure. These rules separate pods and services in different namespaces, preventing unauthorized access between them. It boosts data security and makes managing multi-tenant setups easier, ensuring smooth operations and data integrity across your apps.
Also, with Calico in GKE, implementing these policies becomes streamlined and efficient.
Before we explore Network Policies, it’s essential to ensure that you have the necessary prerequisites in place:
Prerequisites
1. GCP Account
First and foremost, you must have a Google Cloud Platform (GCP) account. This account forms the cornerstone for accessing and overseeing the assets within your Google Cloud Environment.
2. gcloud CLI
gcloud is a command-line interface for Google Cloud that provides access to a wide range of Google Cloud services, including GKE. With gcloud, you can create and manage GKE clusters, interact with Kubernetes resources, configure authentication, and perform various other tasks related to the Google Cloud Platform. The gcloud CLI can be installed using the package format on Debian and Ubuntu systems.
Also, ensure your operating system meets the following requirements before installing the gcloud CLI:
a) Open a terminal window
b) Update the package list using the command:
sudo apt-get update
c) Proceed to install the necessary dependencies
sudo apt-get install apt-transport-https ca-certificates gnupg curl
Now, for newer distributions, import the Google Cloud public key with the provided command.
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
Include the gcloud CLI distribution URI as a package source.
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
Refresh the package list and proceed with the installation of the gcloud CLI
sudo apt-get update && sudo apt-get install google-cloud-cli
If you have any other operating system, then you can refer to https://cloud.google.com/sdk/docs/install
3. kubectl
Kubectl is a command-line tool for interacting with Kubernetes clusters. It enables users to deploy and manage applications, inspect cluster resources, scale applications, and troubleshoot issues within Kubernetes environments.
Install kubectl binary in Linux system
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
Install kubectl
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
Check the version you installed is up-to-date:
kubectl version --client
To engage with Google Kubernetes Engine (GKE) clusters via kubectl or similar Kubernetes clients, you need an authentication plugin called gke-gcloud-auth-plugin. This plugin utilizes the Client-go Credential Plugins framework to simplify the retrieval of authentication tokens.
These tokens are essential for establishing secure communication channels between the Kubernetes client and GKE clusters. Users can securely authenticate and access their GKE clusters by utilizing this authentication mechanism, enabling seamless management and operation of containerized workloads within the Kubernetes environment.
sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin
To check the version of the gke-gcloud-auth-plugin binary, you can use the following command:
gke-gcloud-auth-plugin --version
4. GKE Cluster
Ensure you have a GKE cluster in your Google Cloud project. If you haven’t created one yet, you can do it through the Google Cloud Console or the ‘gcloud’ command-line tool. Make sure the cluster is set up correctly with the settings you want, like the number of nodes, type of machines, and network options.
By ensuring that these prerequisites are met, you’ll be well-equipped to embark on the journey of configuring Network Policies within your GKE cluster, enhancing security and control over network communication for your containerized applications.
Authenticate with GCP Account
To authenticate with your Google Cloud Platform (GCP) account, you’ll need to use the gcloud CLI. “gcloud init” assists in configuring a new or existing configuration, tailoring properties within that configuration such as the current project, and optionally, specifying the default Google Compute Engine region and zone preferences.
gcloud init
To authenticate a user account with gcloud, run.
gcloud auth login
Set the default project.
gcloud config set project ${PROJECT_ID}
Here, PROJECT_ID refers to the name of your project.
When you run this command in your terminal, it opens a web browser window where you can sign in to your Google account associated with your GCP account. After successful authentication, the Google Cloud SDK is granted access to your GCP resources using the credentials of the signed-in account. This authentication allows you to interact with and manage your GCP resources using the gcloud command-line tool from your local environment.
Access the GKE Cluster
To update the kubectl configuration to use the plugin and authenticate with a specific GKE cluster, you can use the following command:
gcloud container clusters get-credentials CLUSTER_NAME --region COMPUTE_REGION --project PROJECT_ID
Replace the placeholders with the actual values as follows:
- CLUSTER_NAME: Replace this with the name of your GKE cluster.
- COMPUTE_REGION: Replace this with the Compute Engine region where your cluster is located. If your cluster is zonal, use –zone=COMPUTE_ZONE instead and replace COMPUTE_ZONE with the specific zone where your cluster resides.
It retrieves the authentication credentials for the specified GKE cluster from the Google Cloud Platform and updates the kubeconfig file on your local system. This kubeconfig file contains the cluster authentication information, including the cluster endpoint, authentication token, and other necessary details. With this account, you can authenticate and engage with the GKE cluster via kubectl commands.
Verify the cluster access,
kubectl get namespaces
The output is similar to the following:
NAME STATUS AGE default Active 51d kube-node-lease Active 51d kube-public Active 51d kube-system Active 51d
Opt for our Kubernetes Consulting Services and fortify your infrastructure with expert guidance today!
Enable the Network Policy in the GKE cluster
By default, GKE clusters lack Network Policy enforcement, exposing your applications to potential unauthorized access or malicious actions. However, with Network Policy, you can define and enforce communication rules between pods, effectively creating a micro-segmentation strategy within your cluster.
Requirements and limitations
Enabling network policy enforcement necessitates the recreation of your nodes. If your GKE cluster currently falls within an active maintenance window, the nodes won’t undergo automatic recreation until the subsequent maintenance window. However, for more immediate implementation, you have the option to manually upgrade your cluster at any time, ensuring timely enforcement of network policies to bolster your cluster’s security posture.
For optimal performance and resource allocation, it’s recommended to have a minimum cluster size of three e2-medium instances when implementing network policy enforcement.
Clusters utilizing f1-micro or g1-small instances are not supported for network policy enforcement due to their limited resources, which may not meet the requirements for effective policy enforcement.
Steps To Enable the Network Policies in Google Kubernetes Engine(GKE) Cluster
To enable network policy enforcement for an existing cluster, follow these steps:
gcloud container clusters update CLUSTER_NAME --update-addons=NetworkPolicy=ENABLED
Replace CLUSTER_NAME with the name of the cluster.
Execute the command below to enable network policy enforcement on your cluster, subsequently initiating the recreation of your cluster’s node pools with network policy enforcement enabled:
gcloud container clusters update CLUSTER_NAME --enable-network-policy
After executing this command, GKE will recreate your cluster’s node pools network policy enforcement enabled
Verify that all your nodes were re-created:
kubectl get nodes -l projectcalico.org/ds-ready=true
Validate the Calico Configuration
To verify the Calico configuration using the gcloud describe cluster command and confirm that Calico is the network policy provider, you can follow these steps:
1. Open your terminal or command prompt.
2. Run the following command to describe your GKE cluster:
gcloud container clusters describe [CLUSTER_NAME]
Replace [CLUSTER_NAME] with the name of your GKE cluster.
3. Look for the networkPolicy field in the output. If Calico is the network policy provider, you should see “networkPolicy”: “CALICO”.
Here’s an example of what the output might look like:
networkPolicy: CALICO
Install calicoctl
When applying network policies specifically managed by Calico within a Kubernetes cluster, you’ll need to use calicoctl instead of kubectl. Calico provides its own set of network policies, and while they are Kubernetes-native, they are managed through the Calico network policy API.
To install the Calicoctl binary on your Ubuntu host, follow these steps:
curl -L https://github.com/projectcalico/calico/releases/download/v3.27.3/calicoctl-linux-amd64 -o calicoctl
To set the Calicoctl binary file to be executable
chmod +x ./calicoctl
Check the calicoctl version
Client Version: v3.26.3 Git commit: bdb7878af Cluster Version: v3.26.3-gke.7 Cluster Type: typha,kdd
Apply Network Policies in GKE with Calico
Calico network policy offers granular control over network traffic within Kubernetes clusters, allowing administrators to define policies based on labels, namespaces, IP addresses, and other criteria for precise access control. Moreover, Calico’s seamless integration with Kubernetes and other orchestration platforms ensures smooth deployment and management of network policies across diverse environments, promoting consistency and scalability in network security management.
Hire Kubernetes developers to streamline your GKE deployment and ensure robust policy enforcement with Calico.
Calico Network Policy
Calico network policy seamlessly integrates with Kubernetes network policies, offering flexibility in security management strategies. Organizations can leverage both Calico and Kubernetes network policies concurrently or independently, depending on their specific security requirements and operational preferences.
Calico network policies and Calico global network policies are implemented using calicoctl. Their syntax is similar to Kubernetes network policies, but there are a few key differences.
Refer to https://docs.tigera.io/calico/latest/reference/calicoctl/overview for more information.
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-test-only
namespace: test
spec:
selector: env == 'test'
ingress:
- action: Allow
source:
selector: env == 'test'
namespaceSelector: env == 'test'
- action: Allow
protocol: TCP
source:
nets:
- 35.191.0.0/16
- 130.211.0.0/22
destination:
ports:
- 8080
- 80
- 443
In a multi-tenant Kubernetes setup, managing traffic within namespaces is simplified by labeling resources like pods, deployments, and namespaces. These labels enable Calico network policies to enforce rules on traffic flow, ensuring security and isolation.
This NetworkPolicy named “allow-test-only” is specifically designed for the “test” namespace within a Kubernetes cluster, aiming to control ingress traffic to pods labeled with “env=test” within that namespace. The CIDR ranges 35.191.0.0/16 and 130.211.0.0/22 likely correspond to the IP address ranges used by the application load balancer (ALB) for health checks.
You can refer to the link https://cloud.google.com/load-balancing/docs/firewall-rules for more information.
Global Network Policy
GlobalNetworkPolicy resources in Calico provide a powerful means to define network connectivity rules that span across namespaces and apply to both workload endpoints and host endpoints within a Kubernetes cluster. Unlike namespaced network policies, which are limited to specific namespaces, GlobalNetworkPolicy rules have a broader scope and can impact all endpoints in the cluster.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: allow-http-and-https
spec:
types:
- Ingress
- Egress
ingress:
- action: Allow
protocol: TCP
destination:
ports:
- 80
- 443
- action: Deny
egress:
- action: Allow
This GlobalNetworkPolicy allows incoming HTTP (port 80) and HTTPS (port 443) traffic. It denies all other incoming traffic. It allows all outgoing traffic.
Conclusion
In conclusion, implementing network policies in GKE with Calico provides solid security and governance for your Kubernetes clusters. As more organizations use Kubernetes for their containerized workloads, learning how to implement network policies with Calico becomes an essential skill. With network policies, we have successfully segmented our network, restricted unauthorized access, and reduced security risks by setting specific connectivity rules based on pod labels, protocols, and ports. This control ensures compliance with security best practices and protects sensitive workloads and data from potential threats. Hence, this hands-on approach empowers you to effectively manage and protect your containerized environments.
Related Blogs
Expand Your Digital Horizons With Us
Start a new project or take an existing one to the next level. Get in touch to start small, scale-up, and go Agile.
Your Success Is Guaranteed !
We accelerate the release of digital product and guaranteed their success
We Use Slack, Jira & GitHub for Accurate Deployment and Effective Communication.