PoC of CRD and controller for an enhanced network policy to address multi-cluster service networking implementation of the Multi-Cluster Services API.
Note: This is a limited proof of concept implementation currently for basic demo purposes. The longer term goal is to have a more complete implementation based on the eventual upstream kubernetes community's Multi-Cluster Network Policy API definition (a current draft proposalslides)
This repo defines an api (api/va1lpha1/multiclusterpolicy_types.go) and includes a golang implementation of a controller for this api. This implementation should work with multiple CNI implementations and multiple implementations of the K8s MultiCluster Services (MCS) API, although has so far only been tested using the upstream Kubernetes, weave CNI and the Submariner implementation of the MCS api.
-
Setup 2 k8s clusters with an implementation of the Multi-Cluster Services API (example using the procedure outlined at this link
-
Export an nginx deployment/ service from cluster 2 (example shown here but any standard method works. Confirm the service can be accessed by a client pod in cluster1 as described in the same link.
-
Clone this repo
-
Run 'make install' to deploy the multicluster policy CRD
-
Run 'make deploy IMG=srampal/mcs-netpol:0.4' to deploy the controller (if a newer version of the container is available on dockerhub, feel free to try the latest version)
-
Deploy test pods in cluster1 (kubectl apply -f config/samples/test-pods.yaml)
-
Verify that both test pods can access the remote nginx service (use 'curl nginx.default.svc.clusterset.local' from within the bash shell of each test pod.
-
Now apply the sample multicluster policy provided (kubectl apply -f config/samples/policy-1.yaml)
-
Repeat the test from step 7, confirm that the pod labeled color:blue are unable to access the remote service whereas the pod labeled color:red can continue to access. This confirms multicluster netwpro policy filtering operation.
Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.