Use Case k8s Allowed Network Policy - GoogleCloudPlatform/anthos-appconfig GitHub Wiki

Use Case - k8s - Allowed-Network-Policy

Namespace: uc-allowed-services-k8s

Creates Network Policies

gsutil cat  \
  gs://anthos-appconfig_public/deploy/${RELEASE_NAME}/examples/use-cases/uc-allowed-services-k8s/deploy-apps.yaml \
| kubectl apply -f -

Dev Service -> All
Svc 1 -> Svc 4, Pubsub
Svc 2 -> Svc 1, Svc 4
Svc 3 -> No One
Svc 4 -> Svc 2, Svc 3
External Access via NAT (open)

Svc 2 -> Svc 1 -> Outbound Should Work

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-allowed-k8s-appconfigv2-service-sm-2.uc-allowed-services-k8s/testcallseq&call2=http://app-allowed-k8s-appconfigv2-service-sm-1/testcallseq&call3=https://httpbin.org/get"

Response (successful)

host:hello-app-drv-py-1-5c7cdd4947-f75q9
host:hello-app-sm-py-2-5985c555b9-p9qn7
host:hello-app-sm-py-1-ccdf6958c-mb7bw
{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip, deflate",
    "Host": "httpbin.org",
    "User-Agent": "python-requests/2.22.0"
  },
  "origin": "35.184.53.199, 35.184.53.199",
  "url": "https://httpbin.org/get"
}

Svc 2 -> Svc 3 -> Outbound Should NOT Work

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-allowed-k8s-appconfigv2-service-sm-2.uc-allowed-services-k8s/testcallseq&call2=http://app-allowed-k8s-appconfigv2-service-sm-3/testcallseq&call3=https://httpbin.org/get"

Response (partial)

host:hello-app-drv-py-1-5c7cdd4947-f75q9
host:hello-app-sm-py-2-7f85cb7bd5-mt4mg
*Error*-Happened - Making the request-url[http://app-allowed-k8s-appconfigv2-service-sm-2.uc-allowed-services-k8s/testcallseq?call2=http%3A%2F%2Fuc-app-allowed-k8s-appconfigv2-service-sm-3%2Ftestcallseq&call3=https%3A%2F%2Fhttpbin.org%2Fget]
Traceback (most recent call last):

...