Implementing Network Policies for Artifactory in Kubernetes

Vignesh Surendrababu
2020-08-19 16:15

What is a NetworkPolicy?

The kubernetes resources that control the traffic between the pods or between the network endpoints is called a NetworkPolicy. By using the NetworkPolicy, it is possible to restrict the traffic to any of the selected pods, whereas the other pods in the namespace can accept the traffic from anywhere.

We may need to consider the different policy specifications while implementing the NetworkPolicy

Ingress and Egress:
Allowing the inbound traffic to the target pods is called an ingress and where as allowing the outbound traffic from the target pods is an egress.
podSelector:
The pods that will be applicable or selected to this policy
policyTypes:
It denotes the type of policies that are included in the policy Example: Ingress, Egress etc.

Instructions:

Step 1: To use the network policies, you may have to first enable the network policy enforcement and install a container network interface(cni) like calico/cilium/weave etc, that supports NetworkPolicy. 

Example:Amazon EKS:https://www.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/apply_network_policies/
GKE: https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy#gcloud_1
AKS: https://docs.microsoft.com/en-us/azure/aks/use-network-policies#create-an-aks-cluster-and-enable-network-policy

Step 2: Create a config map for the network policy

$ cat configmaps.yaml

networkpolicy:

  # Allows all ingress and egress to/from artifactory.

  – name: artifactory

    podSelector:

      matchLabels:

        app: artifactory

    ingress:

    – from:

      – podSelector:

          matchLabels:

            component: nginx

  # Allows connectivity from artifactory pods to postgresql pods, but no traffic leaving postgresql pod.

  – name: postgres

    podSelector:

      matchLabels:

        app: postgresql

    ingress:

    – from:

      – podSelector:

          matchLabels:

            app: artifactory

 

Step 3: Install Artifactory using the created "configmaps.yaml" file using the below command

$ helm install –name artifactory –set artifactory.image.version=6.16.0 jfrog/artifactory –version 8.3.6 -f configmaps.yaml –namespace artifactory
 

Step 4: Now, try to access the artifactory pod without correct labels, you will be observing the network timeouts

Example: To run the busybox container

$ kubectl run busybox –rm -ti –image=busybox — /bin/sh

 

Step 5: From the busybox container, try running curl or wget command to ping the artifactory pod

$ curl http://artifactory-artifactory:8081/artifactory/api/system/ping 

Note: Here you should be observing a timeout because of the enforced network policies.

 

Step 6: Afterwards, try running the same command in step 5 from both Postgres and the Nginx pods. You may observe that the ping requests will be only successful from the Nginx pod and not from any other external client.

 

Step 7: If you would like to have the network policies enabled for all the existing Artifactory ha nodes, you may have to add/append the below yaml configuration in the "configmaps.yaml" file mentioned above and use the below command to apply the network policies

$ kubectl apply -f configmaps.yaml -n artifactory

 

Example:

ingress:

    – from:

      – podSelector:

          matchLabels:

            component: nginx

  – name: artifactory-ha

    podSelector:

      matchLabels:

        app: artifactory

    ingress:

    – from:

      – podSelector:

          matchLabels:

            component: artifactory