Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploying k8s to Azure does not automatically obey Network Policies #1526

Closed
sgibson91 opened this issue Dec 20, 2019 · 1 comment · Fixed by #1527
Closed

Deploying k8s to Azure does not automatically obey Network Policies #1526

sgibson91 opened this issue Dec 20, 2019 · 1 comment · Fixed by #1527
Labels
documentation

Comments

@sgibson91
Copy link
Member

As we have discovered in jupyterhub/mybinder.org-deploy#1154 (comment), network policies defined in helm charts won't automatically be obeyed as expected when using a k8s cluster on Azure.

To enforce this, the k8s cluster needs to be deployed into a vnet with network policies enabled. Currently, this must be done at the deployment stage and cannot be retroactively applied to existing clusters.

I can contribute some documentation on how to set up a vnet with network policies and deploy the cluster into it 🙂
@consideRatio
Copy link
Member

consideRatio commented Dec 20, 2019
edited
Loading

@sgibson91 yepp!

Kubernetes does not by default come with something, called a controller, that enforces what is described in k8s networkpolicy resources. On GKE you can get that automatically installed if you press something similar in the k8s cluster setup.

For the documentation, it should be a general note about this alongside specific cloud provider implementation details on how to go about setting up a controller that can enforce the policies.

In the CI/CD testing of this repo, we install this manually into the k8s cluster - project calico.

zero-to-jupyterhub-k8s/dev

Lines 136 to 162 in de3a30b

# To test network policies, we need a custom CNI like Calico. We have disabled
# the default CNI through kind-config.yaml and will need to manually install a
# CNI for the nodes to become Ready.
print("Installing a custom CNI: Calico (async, in cluster)")
_run(
cmd=[
"kubectl", "apply",
"-f", "https://docs.projectcalico.org/v3.10/manifests/calico.yaml",
],
print_end="",
)
# NOTE: daemonset/calico-node pods' main container fails to start up without
# an additional environment variable configured to disable a check
# that we fail.
#
# env:
# - name: FELIX_IGNORELOOSERPF
# value: "true"
_run(
cmd=[
"kubectl", "patch", "daemonset/calico-node",
"--namespace", "kube-system",
"--type", "json",
"--patch", '[{"op":"add", "path":"/spec/template/spec/containers/0/env/-", "value":{"name":"FELIX_IGNORELOOSERPF", "value":"true"}}]',
],
)

@sgibson91 sgibson91 mentioned this issue Dec 20, 2019
Merged
@sgibson91 sgibson91 mentioned this issue Feb 1, 2020
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[MRG] Update step zero for Azure docs with commands to setup an VNet and network policy
2 participants
@consideRatio @sgibson91