Weave Net provides a program called the Weave NPC (network policy controller). The NPC runs once on every host, and routes the traffic according to the rules set up in the YAML file. Weave Net does this by talking to IPtables which is a feature of Linux.
At the top level forward chain, a rule is injected that checks whether a WEAVE-NPC policy applies, and if it doesn’t, then the packet is dropped. If is does, and if there is an established connection, then the packet is accepted. Only packets with newly opened connections are checked. Therefore, if the packet is already on an established connection, it is accepted, and the other chains are checked. IPtables rules are updated when the policy’s ‘ipsets’ are changed on every coming and going pod. Weave begins with the source address on the network, which goes over a linux bridge. In the course of traversing that bridge, the connection is checked against the IPtables rules.
This exercise will walk you through configuring Weave Net and applying a Network Policy.
In order to perform exercises in this chapter, you’ll need to deploy configurations to a 3 master, 5 worker kops-created cluster created with the following command-line:
kops create cluster \
--name example2.cluster.k8s.local \
--master-count 3 \
--node-count 5 \
--zones ${AWS_AVAILABILITY_ZONES} \
--networking weave \
--yes
This command-line implements the --networking weave option, which tells the cluster to use Weave Net instead of the default networking provided by kubenet. Note, the name here is example2.cluster.k8s.local instead of the usual example.cluster.k8s.local name. This is just to make sure, in case, the two clusters can coexist.
To check the network configuration is using Weave Net, view the cluster configuration using the following command:
kops edit cluster example2.cluster.k8s.local
This will show the following fragment under .spec:
networking:
weave: {}
Quit the edit without making any changes; this step was just to check.
This chapter also uses some files from the repo; please cd into network-policies/weavenet to use them.
kops 1.7.x comes with Weave Net 2.0.5 out-of-the-box which does not support the latest network-policy updates for kubernetes 1.7. In order to make this work, we need to update Weave Net via:
$ kubectl apply -f templates/weavenet-update.yaml
clusterrole "weave-net" configured
serviceaccount "weave-net" unchanged
clusterrolebinding "weave-net" configured
role "weave-net" created
rolebinding "weave-net" created
daemonset "weave-net" configuredAfter this, wait for the Weave Net pods to be updated via:
$ kubectl rollout status ds/weave-net -n kube-system
Waiting for rollout to finish: 0 out of 8 new pods have been updated...
Waiting for rollout to finish: 1 out of 8 new pods have been updated...
[...]
Waiting for rollout to finish: 7 of 8 updated pods are available...
daemon set "weave-net" successfully rolled out