Cilium / Docker (2) – DECODE X NET

Ciliumネットワークポリシーの適用を、下記の環境にしてみました。

Cilium / Docker

curl コマンドのGETもPOSTも疎通確認できました。これにPOSTのみ疎通するようにポリシーを適用します。
これは以前下記で、実行したものになります。(yamlをjsonに変換）

Cilium Network Policy

policy.json

[{
    "labels": [{"key": "name", "value": "Only POST"}],
    "endpointSelector": {"matchLabels":{"name":"app2"}},
    "ingress": [{
        "fromEndpoints": [
            {"matchLabels":{"name":"app1"}}
        ],
        "toPorts": [{
            "ports": [{"port": "80", "protocol": "TCP"}],
            "rules": {
                "http": [{"method": "POST"}]
            }
        }]
    }]
}]

[{

"labels": [{"key": "name", "value": "Only POST"}],

"endpointSelector": {"matchLabels":{"name":"app2"}},

"ingress": [{

"fromEndpoints": [

{"matchLabels":{"name":"app1"}}

"toPorts": [{

"ports": [{"port": "80", "protocol": "TCP"}],

"rules": {

"http": [{"method": "POST"}]

}

}]

コマンド実行

$ docker cp policy.json cilium:/home/cilium
$ docker exec -it cilium cilium policy import /home/cilium/policy.json
Revision: 2
$ docker exec -it cilium cilium policy  get
[
  {
    "endpointSelector": {
      "matchLabels": {
        "any:name": "app2"
      }
    },
    "ingress": [
      {
        "fromEndpoints": [
          {
            "matchLabels": {
              "any:name": "app1"
            }
          }
        ],
        "toPorts": [
          {
            "ports": [
              {
                "port": "80",
                "protocol": "TCP"
              }
            ],
            "rules": {
              "http": [
                {
                  "method": "POST"
                }
              ]
            }
          }
        ]
      }
    ],
    "labels": [
      {
        "key": "name",
        "value": "Only POST",
        "source": ""
      }
    ]
  }
]
Revision: 2
$ docker exec -it cilium cilium policy help
Manage security policies

Usage:
  cilium policy [command]

Available Commands:
  delete      Delete policy rules
  get         Display policy node information
  import      Import security policy in JSON format
  selectors   Display cached information about selectors
  validate    Validate a policy
  wait        Wait for all endpoints to have updated to a given policy revision

Flags:
  -h, --help   help for policy

Global Flags:
      --config string   Config file (default is $HOME/.cilium.yaml)
  -D, --debug           Enable debug messages
  -H, --host string     URI to server-side API

Use "cilium policy [command] --help" for more information about a command.

$ docker cp policy.json cilium:/home/cilium

$ docker exec -it cilium cilium policy import /home/cilium/policy.json

Revision: 2

$ docker exec -it cilium cilium policy get

[

{

"endpointSelector": {

"matchLabels": {

"any:name": "app2"

}

"ingress": [

{

"fromEndpoints": [

{

"matchLabels": {

"any:name": "app1"

}

"toPorts": [

{

"ports": [

{

"port": "80",

"protocol": "TCP"

}

"rules": {

"http": [

{

"method": "POST"

}

]

}

]

}

"labels": [

{

"key": "name",

"value": "Only POST",

"source": ""

}

]

}

]

Revision: 2

$ docker exec -it cilium cilium policy help

Manage security policies

Usage:

cilium policy [command]

Available Commands:

delete Delete policy rules

get Display policy node information

import Import security policy in JSON format

selectors Display cached information about selectors

validate Validate a policy

wait Wait for all endpoints to have updated to a given policy revision

Flags:

-h, --help help for policy

Global Flags:

--config string Config file (default is $HOME/.cilium.yaml)

-D, --debug Enable debug messages

-H, --host string URI to server-side API

Use "cilium policy [command] --help" for more information about a command.

意図どおりGETがアクセス拒否されました。

ポリシーの削除

$ docker exec -it cilium cilium policy delete "Only POST"
Error: Cannot delete policy: [DELETE /policy][500] deletePolicyFailure  policy not found
$ docker exec -it cilium cilium policy delete --all
Revision: 3

$ docker exec -it cilium cilium policy delete "Only POST"

Error: Cannot delete policy: [DELETE /policy][500] deletePolicyFailure policy not found

$ docker exec -it cilium cilium policy delete --all

Revision: 3

個別の削除はできませんでしたが、ポリシー適用前の状態戻ったことを確認しました。