├── README.md └── gettingstarted ├── .images ├── 01-backend-ingress-deny.png ├── 02-backend-ingress-allow-frontend.png ├── 03-all-pods-allow-within-namespace.png ├── 04-backend-ingress-allow-monitoring-namespace.png ├── 05-backend-ingress-allow-monitoring-app.png ├── 06-frontend-egress-deny.png ├── 07-frontend-egress-allow-to-backend.png ├── 08-all-pods-egress-allow-dns.png ├── demo-app.png ├── ingress_egress.png ├── networkpolicy.png ├── resources.png └── stateful.png ├── 00-setup.md ├── 01-backend-ingress-deny.md ├── 01-backend-ingress-deny.yaml ├── 02-backend-ingress-allow-frontend.md ├── 02-backend-ingress-allow-frontend.yaml ├── 03-all-pods-allow-within-namespace.md ├── 03-all-pods-allow-within-namespace.yaml ├── 04-backend-ingress-allow-monitoring-namespace.md ├── 04-backend-ingress-allow-monitoring-namespace.yaml ├── 05-backend-ingress-allow-monitoring-app.md ├── 05-backend-ingress-allow-monitoring-app.yaml ├── 06-frontend-egress-deny.md ├── 06-frontend-egress-deny.yaml ├── 07-frontend-egress-allow-to-backend.md ├── 07-frontend-egress-allow-to-backend.yaml ├── 08-all-pods-egress-allow-dns.md ├── 08-all-pods-egress-allow-dns.yaml ├── README.md ├── demo-app.yaml └── monitoring-app.yaml /README.md: -------------------------------------------------------------------------------- 1 | # NetworkPolicy Examples 2 | 3 | Open repository for all NetworkPolicy examples of all kinds. See 4 | [gettingstarted/](gettingstarted/) for the preferred format of adding examples. 5 | 6 | -------------------------------------------------------------------------------- /gettingstarted/.images/01-backend-ingress-deny.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/01-backend-ingress-deny.png -------------------------------------------------------------------------------- /gettingstarted/.images/02-backend-ingress-allow-frontend.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/02-backend-ingress-allow-frontend.png -------------------------------------------------------------------------------- /gettingstarted/.images/03-all-pods-allow-within-namespace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/03-all-pods-allow-within-namespace.png -------------------------------------------------------------------------------- /gettingstarted/.images/04-backend-ingress-allow-monitoring-namespace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/04-backend-ingress-allow-monitoring-namespace.png -------------------------------------------------------------------------------- /gettingstarted/.images/05-backend-ingress-allow-monitoring-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/05-backend-ingress-allow-monitoring-app.png -------------------------------------------------------------------------------- /gettingstarted/.images/06-frontend-egress-deny.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/06-frontend-egress-deny.png -------------------------------------------------------------------------------- /gettingstarted/.images/07-frontend-egress-allow-to-backend.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/07-frontend-egress-allow-to-backend.png -------------------------------------------------------------------------------- /gettingstarted/.images/08-all-pods-egress-allow-dns.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/08-all-pods-egress-allow-dns.png -------------------------------------------------------------------------------- /gettingstarted/.images/demo-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/demo-app.png -------------------------------------------------------------------------------- /gettingstarted/.images/ingress_egress.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/ingress_egress.png -------------------------------------------------------------------------------- /gettingstarted/.images/networkpolicy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/networkpolicy.png -------------------------------------------------------------------------------- /gettingstarted/.images/resources.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/resources.png -------------------------------------------------------------------------------- /gettingstarted/.images/stateful.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/networkpolicy/examples/1e6eaea37de535db46e44bc8356388f84fd3cdb4/gettingstarted/.images/stateful.png -------------------------------------------------------------------------------- /gettingstarted/00-setup.md: -------------------------------------------------------------------------------- 1 | # Setup 2 | 3 | ## Create a Kubernetes Cluster 4 | 5 | ### GKE 6 | 7 | export CLUSTER_NAME=test-$(whoami)-$RANDOM 8 | export CLUSTER_ZONE=us-west2-a 9 | gcloud container clusters create $CLUSTER_NAME --image-type COS --num-nodes 2 --machine-type n1-standard-4 --zone $CLUSTER_ZONE 10 | gcloud container clusters get-credentials $CLUSTER_NAME --zone $CLUSTER_ZONE 11 | 12 | ### minikube 13 | 14 | minikube start --network-plugin=cni 15 | 16 | ## Install CNI with NetworkPolicy capability 17 | 18 | ### Cilium 19 | 20 | #### Darwin 21 | 22 | curl -LO https://github.com/cilium/cilium-cli/releases/download/v0.4/cilium-darwin-amd64.tar.gz 23 | tar xzvf cilium-darwin-amd64.tar.gz 24 | sudo mv cilium /usr/local/bin 25 | cilium install 26 | cilium status 27 | 28 | #### Linux 29 | 30 | curl -LO https://github.com/cilium/cilium-cli/releases/download/v0.4/cilium-linux-amd64.tar.gz 31 | tar xzvf cilium-linux-amd64.tar.gz 32 | sudo mv cilium /usr/local/bin 33 | cilium install 34 | cilium status 35 | 36 | 37 | ## Deploy Demo App 38 | 39 | Create the following demo-app in your Kubernetes cluster. The examples will assume that you deploy the demo app into the `default` namespace but you can of course use any namespace and adjust the examples accordingly. 40 | ``` bash 41 | kubectl create -f demo-app.yaml 42 | ``` 43 | 44 | ![](.images/demo-app.png) 45 | 46 | Validate that you have `frontend` and `backend` pods running: 47 | ``` bash 48 | kubectl get pods,svc 49 | NAME READY STATUS RESTARTS AGE 50 | pod/backend-69d87c4548-kx4sz 1/1 Running 0 8m18s 51 | pod/frontend-6864ff68cc-7r2fc 1/1 Running 0 8m18s 52 | 53 | NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE 54 | service/backend ClusterIP 10.100.105.40 8080/TCP 8m19s 55 | ``` 56 | 57 | In order to simplify execution of commands in the pods, store the pod names in shell variables: 58 | 59 | ``` bash 60 | FRONTEND=$(kubectl get pods -l app=frontend -o json | jq -r '.items[0].metadata.name') 61 | BACKEND=$(kubectl get pods -l app=backend -o json | jq -r '.items[0].metadata.name') 62 | ``` 63 | 64 | Finally, validate that the `frontend` pod can talk to the `backend` pod: 65 | 66 | ``` bash 67 | kubectl exec -ti $FRONTEND -- curl -I backend:8080 | head -1 68 | HTTP/1.1 200 OK 69 | ``` 70 | -------------------------------------------------------------------------------- /gettingstarted/01-backend-ingress-deny.md: -------------------------------------------------------------------------------- 1 | # Ingress Default Deny 2 | 3 | ![](.images/01-backend-ingress-deny.png) 4 | 5 | ``` yaml 6 | kind: NetworkPolicy 7 | apiVersion: networking.k8s.io/v1 8 | metadata: 9 | name: backend-ingress-deny 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | app: backend 14 | policyTypes: 15 | - Ingress 16 | ``` 17 | [*View in the Policy Editor*](https://editor.cilium.io/?policy-url=https://raw.githubusercontent.com/networkpolicy/examples/master/gettingstarted/01-backend-ingress-deny.yaml) 18 | 19 | ### Try this policy 20 | 21 | Create this policy in your [cluster running the demo app](00-setup.md): 22 | 23 | ``` bash 24 | kubectl create -f 01-backend-ingress-deny.yaml 25 | ``` 26 | 27 | A connection from `frontend` to `backend` will now timeout: 28 | 29 | ``` bash 30 | kubectl exec -ti $FRONTEND -- curl -I --connect-timeout 5 backend:8080 31 | curl: (28) Connection timed out after 5001 milliseconds 32 | command terminated with exit code 28 33 | ``` 34 | 35 | However, the `backend` can still reach kubernetes.io: 36 | 37 | ``` bash 38 | kubectl exec -ti $BACKEND -- curl -I kubernetes.io | head -1 39 | HTTP/1.1 301 Moved Permanently 40 | ``` 41 | -------------------------------------------------------------------------------- /gettingstarted/01-backend-ingress-deny.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: backend-ingress-deny 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: backend 9 | policyTypes: 10 | - Ingress 11 | -------------------------------------------------------------------------------- /gettingstarted/02-backend-ingress-allow-frontend.md: -------------------------------------------------------------------------------- 1 | # Allow Pod to Pod Ingress 2 | 3 | ![](.images/02-backend-ingress-allow-frontend.png) 4 | 5 | ``` yaml 6 | kind: NetworkPolicy 7 | apiVersion: networking.k8s.io/v1 8 | metadata: 9 | name: backend-ingress-allow-frontend 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | app: backend 14 | ingress: 15 | - from: 16 | - podSelector: 17 | matchLabels: 18 | app: frontend 19 | ``` 20 | 21 | Create the above policy in your cluster: 22 | 23 | ``` bash 24 | kubectl create -f 02-backend-ingress-allow-frontend.yaml 25 | ``` 26 | 27 | A connection from `frontend` to `backend` will now succeed: 28 | ``` bash 29 | kubectl exec -ti $FRONTEND -- curl -I backend:8080 | head -1 30 | HTTP/1.1 200 OK 31 | ``` 32 | -------------------------------------------------------------------------------- /gettingstarted/02-backend-ingress-allow-frontend.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: backend-ingress-allow-frontend 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: backend 9 | ingress: 10 | - from: 11 | - podSelector: 12 | matchLabels: 13 | app: frontend 14 | -------------------------------------------------------------------------------- /gettingstarted/03-all-pods-allow-within-namespace.md: -------------------------------------------------------------------------------- 1 | # Allow Ingress within Namespace 2 | 3 | ![](.images/03-all-pods-allow-within-namespace.png) 4 | 5 | ```yaml 6 | apiVersion: networking.k8s.io/v1 7 | kind: NetworkPolicy 8 | metadata: 9 | name: all-pods-ingress-allow-within-namespace 10 | spec: 11 | podSelector: {} 12 | ingress: 13 | - from: 14 | - podSelector: {} 15 | ``` 16 | 17 | 18 | Create the above policy in your cluster: 19 | ``` bash 20 | kubectl create -f 03-all-pods-allow-within-namespace.yaml 21 | ``` 22 | 23 | 24 | A connection from `frontend` running in the same namespace as `backend` will now succeed: 25 | ``` bash 26 | kubectl exec -ti $FRONTEND -- curl -I backend:8080 | head -1 27 | HTTP/1.1 200 OK 28 | ``` 29 | -------------------------------------------------------------------------------- /gettingstarted/03-all-pods-allow-within-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: all-pods-ingress-allow-within-namespace 5 | spec: 6 | podSelector: {} 7 | ingress: 8 | - from: 9 | - podSelector: {} 10 | -------------------------------------------------------------------------------- /gettingstarted/04-backend-ingress-allow-monitoring-namespace.md: -------------------------------------------------------------------------------- 1 | # Allow Ingress across Namespaces 2 | 3 | ![](.images/04-backend-ingress-allow-monitoring-namespace.png) 4 | 5 | ``` yaml 6 | apiVersion: networking.k8s.io/v1 7 | kind: NetworkPolicy 8 | metadata: 9 | name: backend-ingress-allow-other-namespace 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | app: backend 14 | ingress: 15 | - from: 16 | - namespaceSelector: 17 | matchLabels: 18 | type: monitoring 19 | ``` 20 | 21 | Create the policy in your cluster: 22 | ``` 23 | kubectl create -f 04-backend-ingress-allow-monitoring-namespace.yaml 24 | ``` 25 | 26 | 27 | Any pod in a namespace with the label `type=monitoring` can now access `backend:` 28 | 29 | ``` bash 30 | kubectl create namespace monitoring 31 | kubectl label namespace monitoring type=monitoring 32 | kubectl -n monitoring create -f monitoring-app.yaml 33 | MONITORING=$(kubectl -n monitoring get pods -l app=monitoring -o json | jq -r '.items[0].metadata.name') 34 | ``` 35 | 36 | 37 | ``` bash 38 | kubectl -n monitoring exec -ti $MONITORING -- curl -I backend.default.svc.cluster.local:8080 | head -1 39 | HTTP/1.1 200 OK 40 | ``` 41 | -------------------------------------------------------------------------------- /gettingstarted/04-backend-ingress-allow-monitoring-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: backend-ingress-allow-monitoring-namespace 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: backend 9 | ingress: 10 | - from: 11 | - namespaceSelector: 12 | matchLabels: 13 | type: monitoring 14 | -------------------------------------------------------------------------------- /gettingstarted/05-backend-ingress-allow-monitoring-app.md: -------------------------------------------------------------------------------- 1 | # Allow specific Pods from other Namespaces 2 | 3 | ![](.images/05-backend-ingress-allow-monitoring-app.png) 4 | 5 | ``` yaml 6 | apiVersion: networking.k8s.io/v1 7 | kind: NetworkPolicy 8 | metadata: 9 | name: backend-ingress-allow-monitoring-namespace 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | app: backend 14 | ingress: 15 | - from: 16 | - namespaceSelector: 17 | matchLabels: 18 | type: monitoring 19 | podSelector: 20 | matchLabels: 21 | app: monitoring 22 | ``` 23 | 24 | Create the policy in your cluster: 25 | 26 | ``` bash 27 | kubectl create -f 05-backend-ingress-allow-monitoring-app.yaml 28 | ``` 29 | 30 | 31 | A pod with label `app=monitoring` in a namespace with the label `type=monitoring` can now access `backend:` 32 | 33 | ``` bash 34 | kubectl create namespace monitoring 35 | kubectl label namespace monitoring type=monitoring 36 | kubectl -n monitoring create -f monitoring-app.yaml 37 | MONITORING=$(kubectl -n monitoring get pods -l app=monitoring -o json | jq -r '.items[0].metadata.name') 38 | ``` 39 | 40 | ``` bash 41 | kubectl -n monitoring exec -ti $MONITORING -- curl -I backend.default.svc.cluster.local:8080 | head -1 42 | HTTP/1.1 200 OK 43 | ``` 44 | 45 | -------------------------------------------------------------------------------- /gettingstarted/05-backend-ingress-allow-monitoring-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: backend-ingress-allow-monitoring-app 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: backend 9 | ingress: 10 | - from: 11 | - namespaceSelector: 12 | matchLabels: 13 | type: monitoring 14 | podSelector: 15 | matchLabels: 16 | app: monitoring 17 | -------------------------------------------------------------------------------- /gettingstarted/06-frontend-egress-deny.md: -------------------------------------------------------------------------------- 1 | # Egress Default Deny 2 | 3 | ![](.images/06-frontend-egress-deny.png) 4 | 5 | ```yaml 6 | kind: NetworkPolicy 7 | apiVersion: networking.k8s.io/v1 8 | metadata: 9 | name: frontend-egress-deny 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | app: frontend 14 | policyTypes: 15 | - Egress 16 | ``` 17 | 18 | Create the egress default deny policy and validate that the `frontend` pod can't reach the `backend` pod anymore: 19 | ``` bash 20 | kubectl create -f 06-frontend-egress-deny.yaml 21 | ``` 22 | 23 | Test that `frontend` cannot reach `backend`: 24 | ``` bash 25 | kubectl exec -ti $FRONTEND -- curl -I --connect-timeout 5 backend:8080 | head -1 26 | curl: (28) Resolving timed out after 5000 milliseconds 27 | command terminated with exit code 28 28 | ``` 29 | -------------------------------------------------------------------------------- /gettingstarted/06-frontend-egress-deny.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: frontend-egress-deny 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: frontend 9 | policyTypes: 10 | - Egress 11 | -------------------------------------------------------------------------------- /gettingstarted/07-frontend-egress-allow-to-backend.md: -------------------------------------------------------------------------------- 1 | ## Allow Egress Pod to Pod 2 | 3 | ![](.images/07-frontend-egress-allow-to-backend.png) 4 | 5 | ```yaml 6 | kind: NetworkPolicy 7 | apiVersion: networking.k8s.io/v1 8 | metadata: 9 | name: frontend-egress-allow-to-backend 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | app: frontend 14 | policyTypes: 15 | - Egress 16 | egress: 17 | - to: 18 | - podSelector: 19 | matchLabels: 20 | app: backend 21 | ``` 22 | 23 | **Note:** This policy alone is insufficient to allow pod to pod. You also need to allow DNS, see [08-frontend-egress-allow-dns](08-frontend-egress-allow-dns.md) 24 | 25 | Create the policy in your cluster: 26 | 27 | ``` bash 28 | kubectl create -f 07-frontend-egress-allow-to-backend.yaml 29 | ``` 30 | 31 | 32 | The `frontend` pod can now talk to a `backend` pod in the same namespace: 33 | ```bash 34 | kubectl exec -ti $FRONTEND -- curl -I backend:8080 | head -1 35 | HTTP/1.1 200 OK 36 | ``` 37 | -------------------------------------------------------------------------------- /gettingstarted/07-frontend-egress-allow-to-backend.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: frontend-egress-allow-to-backend 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: frontend 9 | policyTypes: 10 | - Egress 11 | egress: 12 | - to: 13 | - podSelector: 14 | matchLabels: 15 | app: backend 16 | -------------------------------------------------------------------------------- /gettingstarted/08-all-pods-egress-allow-dns.md: -------------------------------------------------------------------------------- 1 | # Allow Kubernetes DNS 2 | 3 | ![](.images/08-all-pods-egress-allow-dns.png) 4 | 5 | ```yaml 6 | kind: NetworkPolicy 7 | apiVersion: networking.k8s.io/v1 8 | metadata: 9 | name: all-pods-egress-allow-dns 10 | spec: 11 | podSelector: {} 12 | policyTypes: 13 | - Egress 14 | egress: 15 | - to: 16 | - namespaceSelector: 17 | matchLabels: 18 | contains: coredns 19 | podSelector: 20 | matchLabels: 21 | k8s-app: kube-dns 22 | ``` 23 | 24 | As CoreDNS is running in a different namespace, the policy has to include both a `namespaceSelector` and a `podSelector`. In order to remain flexible, the namespace is selected with a labels `contains: coredns` which you will have to add to the namespace in which CoreDNS is running in. If CoreDNS is ever moved to a different namespace, setting the label on the namespace will be sufficient and the policy won't break. 25 | 26 | 1. Add the `contains: coredns` label to the `kube-system` namespace: 27 | 28 | ```bash 29 | kubectl label namespace kube-system contains=coredns 30 | ``` 31 | 32 | 2. Create the policy `all-pods-egress-allow-dns`: 33 | 34 | ```bash 35 | kubectl create -f 08-all-pods-egress-allow-dns.yaml 36 | ``` 37 | 38 | 3. Validate that the `frontend` pod can now perform DNS lookups and reach the `backend` pod: 39 | 40 | ```bash 41 | kubectl exec -ti $FRONTEND -- curl -I backend:8080 | head -1 42 | HTTP/1.1 200 OK 43 | ``` 44 | -------------------------------------------------------------------------------- /gettingstarted/08-all-pods-egress-allow-dns.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: all-pods-egress-allow-dns 5 | spec: 6 | podSelector: {} 7 | policyTypes: 8 | - Egress 9 | egress: 10 | - to: 11 | - namespaceSelector: 12 | matchLabels: 13 | contains: coredns 14 | podSelector: 15 | matchLabels: 16 | k8s-app: kube-dns 17 | -------------------------------------------------------------------------------- /gettingstarted/README.md: -------------------------------------------------------------------------------- 1 | # Getting Started with NetworkPolicy - Examples 2 | 3 | This directory contains basic NetworkPolicy examples to get started. Pick any 4 | of the following examples: 5 | 6 | ## Ingress 7 | 8 | * [Ingress Default Deny](01-backend-ingress-deny.md) 9 | * [Allow Ingress Pod to Pod](02-backend-ingress-allow-frontend.md) 10 | * [Allow Ingress within Namespace](03-all-pods-allow-within-namespace.md) 11 | * [Allow Ingress across Namespaces](04-backend-ingress-allow-monitoring-namespace.md) 12 | * [Allow Ingress from specific pods across Namespaces](05-backend-ingress-allow-monitoring-app.md) 13 | 14 | ## Egress 15 | 16 | * [Egress Default Deny](06-frontend-egress-deny.md) 17 | * [Allow Egress Pod to Pod](07-frontend-egress-allow-to-backend.md) 18 | * [Allow Kubernetes DNS](08-all-pods-egress-allow-dns.md) 19 | 20 | -------------------------------------------------------------------------------- /gettingstarted/demo-app.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: frontend 6 | labels: 7 | app: frontend 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: frontend 13 | template: 14 | metadata: 15 | labels: 16 | app: frontend 17 | spec: 18 | containers: 19 | - name: frontend-container 20 | image: docker.io/byrnedo/alpine-curl:0.1.8 21 | imagePullPolicy: IfNotPresent 22 | command: [ "/bin/ash", "-c", "sleep 1000000000" ] 23 | --- 24 | apiVersion: apps/v1 25 | kind: Deployment 26 | metadata: 27 | name: backend 28 | labels: 29 | app: backend 30 | spec: 31 | replicas: 1 32 | selector: 33 | matchLabels: 34 | app: backend 35 | template: 36 | metadata: 37 | labels: 38 | app: backend 39 | spec: 40 | containers: 41 | - name: backend-container 42 | env: 43 | - name: PORT 44 | value: "8080" 45 | ports: 46 | - containerPort: 8080 47 | image: docker.io/cilium/json-mock:1.2 48 | imagePullPolicy: IfNotPresent 49 | --- 50 | apiVersion: v1 51 | kind: Service 52 | metadata: 53 | name: backend 54 | labels: 55 | app: backend 56 | spec: 57 | type: ClusterIP 58 | selector: 59 | app: backend 60 | ports: 61 | - name: http 62 | port: 8080 63 | -------------------------------------------------------------------------------- /gettingstarted/monitoring-app.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: monitoring 6 | labels: 7 | app: monitoring 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: monitoring 13 | template: 14 | metadata: 15 | labels: 16 | app: monitoring 17 | spec: 18 | containers: 19 | - name: frontend-container 20 | image: docker.io/byrnedo/alpine-curl:0.1.8 21 | imagePullPolicy: IfNotPresent 22 | command: [ "/bin/ash", "-c", "sleep 1000000000" ] 23 | --------------------------------------------------------------------------------