Deploy Application

We will deploy a microservices application, then demonstrates how to use Calico application layer policy to mitigate some common threats.

Install the demo application

We will use a simple microservice application to demonstrate Calico application layer policy. The YAO Bank application creates a customer-facing web application, a microservice that serves up account summaries.

https://docs.projectcalico.org/security/tutorials/app-layer-policy/manifests/10-yaobank.yaml

Step1: Deploy the Application

kubectl apply -f \
https://docs.projectcalico.org/security/tutorials/app-layer-policy/manifests/10-yaobank.yaml

Step2: Verify that the application pods have been created and are ready.

kubectl get pods

Step3: Identify the Services running

kubectl get svc

Step4: Login to the Customer Pod and Check the Access Database.

Note: Replace the podname with your own pod

kubectl exec -ti customer-<fill in pod ID> -c customer -- bash

or

Use the K9s to login to Customer Pod

Step5: Notice that from here, we get direct access to the backend database. For example, we can list all the entries in the database like this:

curl http://database:2379/v2/keys?recursive=true

Apply the Network Policies

Download Policy

calicoctl apply -f trafficflow.yaml

The above policy will protect the database being access by Customer Application, Rather allowed from Summary.

Step6: Login to the Customer Pod and Check the Access Database.

Note: Replace the podname with your own pod

kubectl exec -ti customer-<fill in pod ID> -c customer -- bash

or

Use the K9s to login to Customer Pod

Step7: Check the DB Access

curl http://database:2379/v2/keys?recursive=true

Step7: Exit from Customer Pod

exit

Step8: Login to the Summary Pod and Check the Access Database.

Note: Replace the podname with your own pod

kubectl exec -ti summary-<fill in pod ID> -c summary -- bash

or

Use the K9s to login to Summary Pod

Step7: Check the DB Access

curl http://database:2379/v2/keys?recursive=true

Now it should not work.

Step7: Exit from Customer Pod

exit

Delete the Policy

Now Delete the Policy and Check.

PreviousIstio Setup ManualNextPeer Authentication

Last updated

Was this helpful?