Calico and simple policy

1. Anirban Sen Chowdhary

2. “Project Calico is the world's simplest, most scalable, open networking
solution for OpenStack”.
Calico, a pure layer3 approach to Virtual Networking for highly scalable &
flexible Data centers. It is a open-source technology, that implements
large, standards-based cloud data center infrastructures
Calico supports rich and flexible network policy that enforces on every
node in a cluster, to provide tenant isolation, security groups, and external
reachability constraints.

3. There is security layer into Calico that enables developers and operations
staff to easily define with fine granularity which connections are allowed,
and which are not. These rules implement and extend the Kubernetes
Network Policy API.

4. There are basically 3 policy demo we can configure:
* Simple Policy Demo
* Stars Policy Demo
* Advanced Policy Demo

5. We will discuss on the overview of Simple Policy Demo.
Lastime, we discussed Star Policy here:
https://www.slideshare.net/anir37/calico-and-stars-policy

7. It includes demo try out Kubernetes NetworkPolicy with Calico, as well as a
client service for all running on Kubernetes.
It requires a Kubernetes cluster configured with Calico networking, and
expects that you have kubectl configured to interact with the cluster.

8. We need to install Kubernetes in the system which includes Network Policy
API.
We need to get the following thing:
Calico
and then need to get into star-policy directory of Calico

9. 1) We need to create some nginx pods in the policy-demo Namespace, and
expose them through a Service.:
2) Also we need to ensure the nginx service is accessible:

10. Enable isolation:
Now this is the important part…. let’s turn on isolation in our policy-demo
Namespace which will then prevent connections to pods in this
Namespace.
We will now run the command that creates a NetworkPolicy which
implements a default deny behavior for all pods in the policy-demo
Namespace.

11. Allow Access using a NetworkPolicy :
Now, let’s enable access to the nginx Service using a NetworkPolicy. This
will allow incoming connections from our access Pod, but not from
anywhere else.
We need to now create a network policy access-nginx with the following
contents:

12. That’s it!
We should now be able to access the Service from the access Pod.

13. We can remove the policy using following:
As you can see, this is just a simple example of the Kubernetes
NetworkPolicy API and how Calico can secure your Kubernetes cluster.

14. In next slides, we will discuss the overview on other policy demo.
Lets share our knowledge and effort on community so that the Calico
community grows.

15. For more information visit
https://www.projectcalico.org/
https://docs.projectcalico.org/v2.6/introduction/
https://blog.tigera.io/tagged/calico