Kubernetes Security with Calico and Istio
  • Introduction
  • Getting Started
    • Course Introduction
    • Virtual Training Practices
    • Training Plan
    • Tools and Configuration
    • Troubleshooting
  • K8s Cluster Setup
    • Create Azure Account
    • Activate Credits
    • Create Cloud Shell
    • AKS Cluster Setup
  • Understand K8s
    • Pod Connectivity
    • Deployments
    • Service Cluster IP
    • Service NodePort
    • Service LoadBalancer
    • Configmap
    • Secrets
  • Calico
    • Network Security Policies
    • Understand Calico Policy
    • Calico Service Rules
    • ICMP/Ping Rules
  • Istio
    • Istio Setup Helm
    • Istio Setup Manual
    • Deploy Application
    • Peer Authentication
    • Calico Istio Policies
  • Refrences
Powered by GitBook
On this page
  • Install the demo application
  • Apply the Network Policies
  • Delete the Policy

Was this helpful?

  1. Istio

Deploy Application

We will deploy a microservices application, then demonstrates how to use Calico application layer policy to mitigate some common threats.

Install the demo application

We will use a simple microservice application to demonstrate Calico application layer policy. The YAO Bank application creates a customer-facing web application, a microservice that serves up account summaries.

https://docs.projectcalico.org/security/tutorials/app-layer-policy/manifests/10-yaobank.yaml

Step1: Deploy the Application

kubectl apply -f \
https://docs.projectcalico.org/security/tutorials/app-layer-policy/manifests/10-yaobank.yaml

Step2: Verify that the application pods have been created and are ready.

kubectl get pods

Step3: Identify the Services running

kubectl get svc

Step4: Login to the Customer Pod and Check the Access Database.

Note: Replace the podname with your own pod

kubectl exec -ti customer-<fill in pod ID> -c customer -- bash

or

Use the K9s to login to Customer Pod

Step5: Notice that from here, we get direct access to the backend database. For example, we can list all the entries in the database like this:

curl http://database:2379/v2/keys?recursive=true

Apply the Network Policies

Download Policy

calicoctl apply -f trafficflow.yaml

The above policy will protect the database being access by Customer Application, Rather allowed from Summary.

Step6: Login to the Customer Pod and Check the Access Database.

Note: Replace the podname with your own pod

kubectl exec -ti customer-<fill in pod ID> -c customer -- bash

or

Use the K9s to login to Customer Pod

Step7: Check the DB Access

curl http://database:2379/v2/keys?recursive=true

Step7: Exit from Customer Pod

exit

Step8: Login to the Summary Pod and Check the Access Database.

Note: Replace the podname with your own pod

kubectl exec -ti summary-<fill in pod ID> -c summary -- bash

or

Use the K9s to login to Summary Pod

Step7: Check the DB Access

curl http://database:2379/v2/keys?recursive=true

Now it should not work.

Step7: Exit from Customer Pod

exit

Delete the Policy

Now Delete the Policy and Check.

PreviousIstio Setup ManualNextPeer Authentication

Last updated 3 years ago

Was this helpful?