Deploy Application
We will deploy a microservices application, then demonstrates how to use Calico application layer policy to mitigate some common threats.
Install the demo application
We will use a simple microservice application to demonstrate Calico application layer policy. The YAO Bank application creates a customer-facing web application, a microservice that serves up account summaries.
https://docs.projectcalico.org/security/tutorials/app-layer-policy/manifests/10-yaobank.yaml
Step1: Deploy the Application
kubectl apply -f \
https://docs.projectcalico.org/security/tutorials/app-layer-policy/manifests/10-yaobank.yaml
Step2: Verify that the application pods have been created and are ready.
kubectl get pods
Step3: Identify the Services running
kubectl get svc
Step4: Login to the Customer Pod and Check the Access Database.
Note: Replace the podname with your own pod
kubectl exec -ti customer-<fill in pod ID> -c customer -- bash
or
Use the K9s to login to Customer Pod
Step5: Notice that from here, we get direct access to the backend database. For example, we can list all the entries in the database like this:
curl http://database:2379/v2/keys?recursive=true
Apply the Network Policies
calicoctl apply -f trafficflow.yaml
The above policy will protect the database being access by Customer Application, Rather allowed from Summary.
Step6: Login to the Customer Pod and Check the Access Database.
Note: Replace the podname with your own pod
kubectl exec -ti customer-<fill in pod ID> -c customer -- bash
or
Use the K9s to login to Customer Pod
Step7: Check the DB Access
curl http://database:2379/v2/keys?recursive=true
Step7: Exit from Customer Pod
exit
Step8: Login to the Summary Pod and Check the Access Database.
Note: Replace the podname with your own pod
kubectl exec -ti summary-<fill in pod ID> -c summary -- bash
or
Use the K9s to login to Summary Pod
Step7: Check the DB Access
curl http://database:2379/v2/keys?recursive=true
Now it should not work.
Step7: Exit from Customer Pod
exit
Delete the Policy
Now Delete the Policy and Check.
Last updated
Was this helpful?