From c8eb9126e93297b35061bb97a8430e437e5048b5 Mon Sep 17 00:00:00 2001 From: Sharjeel Aziz Date: Wed, 12 Feb 2020 14:06:51 -0500 Subject: [PATCH] Cleanup and implement style guidelines. (#18980) * Reworded paragraphs to reduce ambiguity. * Added min-kubernetes-server-version metadata. * Converted yaml to a downloadable resource. --- .../declare-network-policy.md | 77 ++++++++----------- .../service/networking/nginx-policy.yaml | 13 ++++ 2 files changed, 44 insertions(+), 46 deletions(-) create mode 100644 content/en/examples/service/networking/nginx-policy.yaml diff --git a/content/en/docs/tasks/administer-cluster/declare-network-policy.md b/content/en/docs/tasks/administer-cluster/declare-network-policy.md index b282fd6514d33..edb389c46f3ac 100644 --- a/content/en/docs/tasks/administer-cluster/declare-network-policy.md +++ b/content/en/docs/tasks/administer-cluster/declare-network-policy.md @@ -3,6 +3,7 @@ reviewers: - caseydavenport - danwinship title: Declare Network Policy +min-kubernetes-server-version: v1.8 content_template: templates/task --- {{% capture overview %}} @@ -30,7 +31,7 @@ The above list is sorted alphabetically by product name, not by recommendation o ## Create an `nginx` deployment and expose it via a service -To see how Kubernetes network policy works, start off by creating an `nginx` deployment. +To see how Kubernetes network policy works, start off by creating an `nginx` Deployment. ```console kubectl create deployment nginx --image=nginx @@ -39,7 +40,7 @@ kubectl create deployment nginx --image=nginx deployment.apps/nginx created ``` -And expose it via a service. +Expose the Deployment through a Service called `nginx`. ```console kubectl expose deployment nginx --port=80 @@ -49,7 +50,7 @@ kubectl expose deployment nginx --port=80 service/nginx exposed ``` -This runs a `nginx` pods in the default namespace, and exposes it through a service called `nginx`. +The above commands create a Deployment with an nginx Pod and expose the Deployment through a Service named `nginx`. The `nginx` Pod and Deployment are found in the `default` namespace. ```console kubectl get svc,pod @@ -64,59 +65,43 @@ NAME READY STATUS RESTARTS AGE pod/nginx-701339712-e0qfq 1/1 Running 0 35s ``` -## Test the service by accessing it from another pod +## Test the service by accessing it from another Pod -You should be able to access the new `nginx` service from other pods. To test, access the service from another pod in the default namespace. Make sure you haven't enabled isolation on the namespace. - -Start a busybox container, and use `wget` on the `nginx` service: +You should be able to access the new `nginx` service from other Pods. To access the `nginx` Service from another Pod in the `default` namespace, start a busybox container: ```console kubectl run --generator=run-pod/v1 busybox --rm -ti --image=busybox -- /bin/sh ``` -```console -Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false +In your shell, run the following command: -Hit enter for command prompt +```shell +wget --spider --timeout=1 nginx +``` -/ # wget --spider --timeout=1 nginx +```none Connecting to nginx (10.100.0.16:80) -/ # +remote file exists ``` ## Limit access to the `nginx` service -Let's say you want to limit access to the `nginx` service so that only pods with the label `access: true` can query it. To do that, create a `NetworkPolicy` that allows connections only from those pods: +To limit the access to the `nginx` service so that only Pods with the label `access: true` can query it, create a NetworkPolicy object as follows: -```yaml -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: access-nginx -spec: - podSelector: - matchLabels: - app: nginx - ingress: - - from: - - podSelector: - matchLabels: - access: "true" -``` +{{< codenew file="service/networking/nginx-policy.yaml" >}} {{< note >}} -In the case, the label `app=nginx` is automatically added. +NetworkPolicy includes a `podSelector` which selects the grouping of Pods to which the policy applies. You can see this policy selects Pods with the label `app=nginx`. The label was automatically added to the Pod in the `nginx` Deployment. An empty `podSelector` selects all pods in the namespace. {{< /note >}} - ## Assign the policy to the service -Use kubectl to create a NetworkPolicy from the above nginx-policy.yaml file: +Use kubectl to create a NetworkPolicy from the above `nginx-policy.yaml` file: ```console -kubectl apply -f nginx-policy.yaml +kubectl apply -f https://k8s.io/examples/service/networking/nginx-policy.yaml ``` ```none @@ -124,40 +109,40 @@ networkpolicy.networking.k8s.io/access-nginx created ``` ## Test access to the service when access label is not defined -If we attempt to access the nginx Service from a pod without the correct labels, the request will now time out: +When you attempt to access the `nginx` Service from a Pod without the correct labels, the request times out: ```console kubectl run --generator=run-pod/v1 busybox --rm -ti --image=busybox -- /bin/sh ``` -```console -Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false +In your shell, run the command: -Hit enter for command prompt +```shell +wget --spider --timeout=1 nginx +``` -/ # wget --spider --timeout=1 nginx +```none Connecting to nginx (10.100.0.16:80) wget: download timed out -/ # ``` ## Define access label and test again -Create a pod with the correct labels, and you'll see that the request is allowed: +You can create a Pod with the correct labels to see that the request is allowed: ```console kubectl run --generator=run-pod/v1 busybox --rm -ti --labels="access=true" --image=busybox -- /bin/sh ``` -```console -Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false +In your shell, run the command: -Hit enter for command prompt +```shell +wget --spider --timeout=1 nginx +``` -/ # wget --spider --timeout=1 nginx +```none Connecting to nginx (10.100.0.16:80) -/ # +remote file exists ``` -{{% /capture %}} - +{{% /capture %}} diff --git a/content/en/examples/service/networking/nginx-policy.yaml b/content/en/examples/service/networking/nginx-policy.yaml new file mode 100644 index 0000000000000..89ee9886925e7 --- /dev/null +++ b/content/en/examples/service/networking/nginx-policy.yaml @@ -0,0 +1,13 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: access-nginx +spec: + podSelector: + matchLabels: + app: nginx + ingress: + - from: + - podSelector: + matchLabels: + access: "true"