Open in app

Sign in

Write

Sign in

How to test network policies from all nodes in the cluster in one go

Julio Santana
2 min readOct 31, 2021

When you need to connect a kubernetes deployment with some external machine out of the cluster, usually several steps are required. On one hand, you need to correctly configure Network Policies for the pods created by the deployment. Then you might need to configure physical access from the machines hosting the cluster to the external resource you are trying to reach (Open ports, add ACL, etc)

The process can be tricky and the way to test it even more. Luckily for us, some combination of kubernetes object can help us on doing this, one time or as many as we need.

The idea is to create a daemon set object which has the property of creating a pod on every available node in the cluster, so if we manage to run a curl from each of this pod, our test would be done. To run the CURL we could use a simple image like curlimages/curl. So here are the steps.

1. Create file daemonSet.yml with the following content

apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    app: curlacl
  name: curlacl
spec:
  selector:
    matchLabels:
      app: curlacl
  template:
    metadata:
      labels:
        app: curlacl
  spec:
    containers:
    - image: curlimages/curl
    command:
      - sleep
      - "3600"
    name: curl

2. Apply it in the namespace with

kubectl apply -f daemonSet.yml

3. Create file for network policies for the given daemon set, so that it has the same level of access of the real pods in the cluster nw.yml

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: curlacl
spec:
  egress:
  - to:
    - namespaceSelector: {}
    - ipBlock:
      cidr: 10.168.12.18/32
  podSelector:
    matchLabels:
      app: curlacl
  policyTypes:
  - Ingress
  - Egress

4. Apply it in the namespace with

kubectl apply -f nw.yml

5. This will result in N pods created (one per node created). To Test one by one you can use the following script

kubectl exec -i -t pod-n -- shcurl external-resource.url:3128

6. After finishing, don’t forget toremove the daemonSet (and the pods) and network policy

kubectl delete daemonset curlaclkubectl delete networkpolicy curlacl

And that’s all.

Kubernetes
Daemonset
Network Connection

--

--

Julio Santana

Written by Julio Santana

7 Followers

Software Engineer. Blockchain Enthusiast

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams