We assume that the following tools are already properly installed under the demo's base directory.
- Clone a copy of this repo:
git clone [email protected]:shift-left-netconfig/online-boutique.git cd online-boutique- Change context to
net-demonamespace:kubectl config set-context --current --namespace=net-demo kubectl apply -f release/kubernetes-manifests.yaml- Make sure all pods are running
- Get the external IP of the frontend service by running
kubectl get svc frontend-external - Copy-paste the external IP into a browser, to make sure the application is running
Frontend can actually connect to payment-service directly. This can be demonstrated by running the following command (replace pod-name with the actual name):
kubectl exec frontend-54d58d8c84-dz9p2 -- wget paymentservice:50051
The output looks like
Connecting to paymentservice:50051 (172.21.109.255:50051)
wget: error getting response: Invalid argument
command terminated with exit code 1
So frontend was able to connect to the payment service, it just didn't use the correct arguments.
Create a branch for the change (can also use a fork)
git checkout -b add_netpols
Run analysis
../cluster-topology-analyzer/bin/net-top -dirpath . -commitid bfa5ba496e1ad30cba4545ab93ffa7082bd17eb9 -giturl https://github.com/shift-left-netconfig/online-boutique -gitbranch matser -outputfile microservices-demo.json
Run synthesis
../netpol-synthesizer/venv/Scripts/python ../netpol-synthesizer/src/netpol_synth.py microservices-demo.json -o release/microservices-netpols.yaml
Push the change and create a PR
git add release/microservices-netpols.yaml
git commit -m"adding network policies to enforce minimal connectivity"
git push --set-upstream origin add_netpols
Go to https://github.com/shift-left-netconfig and open a PR. Checks will show the new connectivity map, the diff from the previous state (diff is huge because we previously had all connections allowed, and now almost all conenctions are denied), and checks against baseline rules. The require-label-to-access-payments-service rule is expected to fail, because checkoutservice misses the usesPayments: true label.
Synthesis did not detect the baseline-requirements violation, because we didn't provide it with baseline rules.
We would like to enforce that only deployments with a given label, say payment_access: true,
will be allowed to access the payment service.
We will rerun the synthesis tool and provide it with a baseline-rules file:
../netpol-synthesizer/venv/Scripts/python ../netpol-synthesizer/src/netpol_synth.py microservices-demo.json -o release/microservices-netpols.yaml -b ../baseline-rules/examples/ciso_denied_ports.yaml -b ../baseline-rules/examples/restrict_access_to_payment.yaml
Since checkoutservice currently does not have the required label, the synthesis tool reports a conflict (currently as a warning), and the synthesized network policies should deny access. As a result, if the policies are deployed, the application breaks.
Add the following label after line 86 in release/kubernetes-manifests.yaml
usesPayments: "true"
After adding the right label to the deployment, rerun analysis and synthesis (should now issue no warnings). Then push the change to the branch.
git add release/kubernetes-manifests.yaml
git commit -m"labeling checkout service with usesPayments=true"
git push --set-upstream origin add_netpols
All checks now pass and branch can be merged into master.
kubectl apply -f release/microservices-netpols.yaml- Run again
kubectl exec frontend-b4df774c5-gpxlt -- wget paymentservice:50051(replace pod-name with the actual name)
The output should look like
Connecting to paymentservice (172.21.109.255:80)
wget: can't connect to remote host (172.21.109.255): Operation timed out
command terminated with exit code 1
This shows that the frontend can no longer connect to the payment-service.
- Clean deployments and services:
kubectl delete -f release/kubernetes-manifests.yaml - Clean network policies:
kubectl delete -f release/microservices-netpols.yaml - Close GitHub PR and delete its branch
- Delete branch locally:
git branch -d add_netpols