Skip to content

Latest commit

 

History

History
128 lines (91 loc) · 4.17 KB

File metadata and controls

128 lines (91 loc) · 4.17 KB

ciliumcon-na-2023-l7-external-api-control

This is the companion repository to the Controlling Access To External APIs With Cilium presentation that was given at CiliumCon NA 2023 held in Chicago, IL.

This repository contains scripts and manifests that will do the following:

  1. Create a Kind cluster with a local registry configured, and cilium and cert-manager already installed
  2. Build a certificate generation docker image and push it to the local registry
  3. Deploy the codeserver workload, alongside an L7 Cilium Network Policy and a certificate generation Job that will generate the terminating and originating TLS certificates for the policy to use

The goal of the repo is to allow you to play around with Cilium and its flexible API and learn a little bit more about how it works, and how you could use it in your organization.

Pre-requisites

You will need the following tools installed in your computer before running the demo:

Usage

The Kind cluster can bootstrapped by running the following task at the root of the repo:

task create-cluster

This will create the Kind cluster, a local container registry, and install cilium and cert-manager in the cluster:

After this is done, you can retrieve the kubeconfig for the cluster using the command

task get-kubeconfig

which will create a kind-cluster.kubeconfig file that you can use to talk to your cluster:

Feel free to play around with this cluster! When you're ready, we'll start to deploy all the resources.

Setup

Generating certificates

Before we can create the workload and deploy the PKI material to the cluster, we need to build the container that will run the certificate generation script. To do this, we'll use the provided task:

task build-certificate-generation

This will build the image using the provided Dockerfile, and push the image to the local container registry that our cluster is connected to.

This script will create an interception certificate that is valid for the github.com domain, although additional Subject Alternate Names (SANs) can be added by modifying the environment variables on the Job itself.

Inspecting the Network Policy

By default, the certificates and the workloads are deployed in the students namespace. By inspecting the so-github-access policy, you can see how it targets our codeserver workloads, how it only allows access to the superorbital organization in GitHub, and how it uses the originating and terminating certificates in the same namespace. For more information on the L7 network policies and all its features, see: https://docs.cilium.io/en/latest/security/policy/language/#l7-policy

Installing workloads

Finally, we can deploy the certificates, the policies and the codeserver instance with the provided task command:

task install

You can port-forward the codeserver instance to your local computer by a simple kubectl command:

kubectl --kubeconfig kind-cluster.kubeconfig port-forward -n students service/codeserver-lramirez 8443:8443

Which will make the codeserver UI available at http://localhost:8443/ -- try to access that URL using your favorite browser!

Then finally, try to clone any repo that's not in the superorbital organization and watch it be rejected:

Cleanup

The workloads, certificates and policy can be removed by running:

task uninstall

To clean up the cluster and the local registry:

task cleanup-cluster