Network Policy

Network Policy

What is Network Policy

Starting from v3.0.0, users can configure network policies of native Kubernetes in KubeSphere. Network Policies are an application-centric construct, enabling you to specify how a pod is allowed to communicate with various network entities over the network. With network policies, users can achieve network isolation within the same cluster, which means firewalls can be set up between certain instances (pods).

Note

Please make sure that the CNI network plugin used by the cluster supports Network Policies before you enable it. There are a number of CNI network plugins that support Network Policies, including Calico, Cilium, Kube-router, Romana and Weave Net.
It is recommended that you use Calico as the CNI plugin before you enable Network Policy.

For more information, see Network Policies.

Enable Network Policy before Installation

Installing on Linux

When you install KubeSphere on Linux, you need to create a configuration file, which lists all KubeSphere components.

In the tutorial of Installing KubeSphere on Linux, you create a default file config-sample.yaml. Modify the file by executing the following command:

vi config-sample.yaml

Note

If you adopt All-in-one Installation, you do not need to create a config-sample.yaml file as you can create a cluster directly. Generally, the all-in-one mode is for users who are new to KubeSphere and look to get familiar with the system. If you want to enable Network Policy in this mode (e.g. for testing purpose), refer to the following section to see how Network Policy can be installed after installation.

In this file, navigate to networkpolicy and change false to true for enabled. Save the file after you finish.

networkpolicy:
    enabled: true # Change "false" to "true"

Create a cluster using the configuration file:

./kk create cluster -f config-sample.yaml

Installing on Kubernetes

When you install KubeSphere on Kubernetes, you need to download the file cluster-configuration.yaml for cluster setting. If you want to install Network Policy, do not use kubectl apply -f directly for this file.

In the tutorial of Installing KubeSphere on Kubernetes, you execute kubectl apply -f first for the file kubesphere-installer.yaml. After that, to enable Network Policy, create a local file cluster-configuration.yaml.

vi cluster-configuration.yaml

Copy all the content in the file cluster-configuration.yaml and paste it to the local file just created.
In this local cluster-configuration.yaml file, navigate to networkpolicy and enable Network Policy by changing false to true for enabled. Save the file after you finish.

networkpolicy:
    enabled: true # Change "false" to "true"

Execute the following command to start installation:

kubectl apply -f cluster-configuration.yaml

Enable Network Policy after Installation

Click CRDs and enter clusterconfiguration in the search bar. Click the result to view its detailed page.

Info

A Custom Resource Definition (CRD) allows users to create a new type of resources without adding another API server. They can use these resources like any other native Kubernetes objects.

In Resource List, click the three dots on the right of ks-installer and select Edit YAML.

In this yaml file, navigate to networkpolicy and change false to true for enabled. After you finish, click Update in the bottom-right corner to save the configuration.

networkpolicy:
    enabled: true # Change "false" to "true"

You can use the web kubectl to check the installation process by executing the following command:

kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l app=ks-install -o jsonpath='{.items[0].metadata.name}') -f

Tip

You can find the web kubectl tool by clicking the hammer icon in the bottom-right corner of the console.

Verify the Installation of Component

If you can see Network Policies in Network as the image below, it means the installation succeeds as this part won’t display until you install the component.