We to define the Windows and Linux deployments by running the following command.
cat << EOF > ~/environment/windows/sample-deployments.yaml --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment namespace: windows spec: selector: matchLabels: app: nginx replicas: 1 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 securityContext: privileged: true nodeSelector: beta.kubernetes.io/os: linux EOF
We can now deploy those pods in our cluster.
kubectl apply -f ~/environment/windows/sample-deployments.yaml
Verify that the pods are in ‘Running’ state.
kubectl get pods -o wide --watch -n windows
Test ping connectivity between pods
We would start by verifying that there is network connectivity among all pods. Inside each pod, ping the other two pods’ IP. Update the below with the pod name that you see in the cluster.
kubectl -n windows exec -it <nginx-pod-name> -- /bin/bash
Now ping the IP of the Windows pod
Output: (Note: Control + C to stop the ping test):
root@nginx-deployment-54b55f86cd-7x6jm:/# ping 192.168.18.152 PING 192.168.18.152 (192.168.18.152): 48 data bytes 56 bytes from 192.168.18.152: icmp_seq=0 ttl=127 time=1.480 ms 56 bytes from 192.168.18.152: icmp_seq=1 ttl=127 time=1.599 ms 56 bytes from 192.168.18.152: icmp_seq=2 ttl=127 time=1.481 ms 56 bytes from 192.168.18.152: icmp_seq=3 ttl=127 time=6.054 ms ^C--- 192.168.18.152 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.480/2.654/6.054/1.964 ms
Now we will exit the Nginx pod by typing “exit” and pressing enter
Similarly, ‘exec’ into one of the Windows pods as well. Update the below with the pod names that you see in the cluster.
kubectl -n windows exec -it <windows-pod-name> -- powershell
Now ping the IP of the Nginx pod
PS C:\> ping 192.168.177.232 Pinging 192.168.177.232 with 32 bytes of data: Reply from 192.168.177.232: bytes=32 time=1ms TTL=254 Reply from 192.168.177.232: bytes=32 time=1ms TTL=254 Reply from 192.168.177.232: bytes=32 time=8ms TTL=254 Reply from 192.168.177.232: bytes=32 time=1ms TTL=254 Ping statistics for 192.168.177.232: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 8ms, Average = 2ms PS C:\> exit
Exit the Windows pod by typing “exit” and pressing enter.
Now that we have established basic connectivity accross pods, let’s enforce a network policy to restrict ping connectivity.
We could use Kubectl to apply the the network policies but Calico has a CLI that offers policy validation and will protect the cluster from malformed policies.
Install the Calicoctl pod and create an alias to access this functionality
kubectl apply -f https://docs.projectcalico.org/archive/v3.15/manifests/calicoctl.yaml alias calicoctl="kubectl exec -i -n kube-system calicoctl -- /calicoctl"
Create and apply the network policy specification to deny ping traffic to all pods.
cat << EOF > ~/environment/windows/deny_icmp.yaml --- kind: GlobalNetworkPolicy apiVersion: projectcalico.org/v3 metadata: name: block-icmp spec: order: 200 selector: all() types: - Ingress - Egress ingress: - action: Deny protocol: ICMP - action: Deny protocol: ICMPv6 egress: - action: Deny protocol: ICMP - action: Deny protocol: ICMPv6 EOF calicoctl apply -f - < ~/environment/windows/deny_icmp.yaml
Now we will test ping connectivity between pods just like we did above.
We can exec into the and when we try to ping the windows machine we will see 100% packet loss.
kubectl exec -it <nginx-pod-name> /bin/bash
Now ping the IP of the Windows pod
As you can see we are no longer able to ping the windows pod. Now we will exit the Nginx pod by typing “exit” and pressing enter.
If you want you could exec into the pod and you will also be blocked from pinging the nginx pod.
That is it! You have configured your Windows worker nodes with Open source Calico for Windows and testing using the network policies.