github.com/cilium/cilium@v1.16.2/Documentation/security/gsg_sw_demo.rst

github.com/cilium/cilium@v1.16.2/Documentation/security/gsg_sw_demo.rst (about)

     1  Deploy the Demo Application
     2  ===========================
     3  
     4  When we have Cilium deployed and ``kube-dns`` operating correctly we can deploy our demo application.
     5  
     6  In our Star Wars-inspired example, there are three microservices applications: *deathstar*, *tiefighter*, and *xwing*. The *deathstar* runs an HTTP webservice on port 80, which is exposed as a `Kubernetes Service <https://kubernetes.io/docs/concepts/services-networking/service/>`_ to load-balance requests to *deathstar* across two pod replicas. The *deathstar* service provides landing services to the empire's spaceships so that they can request a landing port. The *tiefighter* pod represents a landing-request client service on a typical empire ship and *xwing* represents a similar service on an alliance ship. They exist so that we can test different security policies for access control to *deathstar* landing services.
     7  
     8  **Application Topology for Cilium and Kubernetes**
     9  
    10  .. image:: /gettingstarted/images/cilium_http_gsg.png
    11     :scale: 30 %
    12  
    13  The file ``http-sw-app.yaml`` contains a `Kubernetes Deployment <https://kubernetes.io/docs/concepts/workloads/controllers/deployment/>`_ for each of the three services.
    14  Each deployment is identified using the Kubernetes labels (``org=empire, class=deathstar``), (``org=empire, class=tiefighter``),
    15  and (``org=alliance, class=xwing``).
    16  It also includes a deathstar-service, which load-balances traffic to all pods with label (``org=empire, class=deathstar``).
    17  
    18  .. parsed-literal::
    19  
    20      $ kubectl create -f \ |SCM_WEB|\/examples/minikube/http-sw-app.yaml
    21      service/deathstar created
    22      deployment.apps/deathstar created
    23      pod/tiefighter created
    24      pod/xwing created
    25  
    26  
    27  Kubernetes will deploy the pods and service in the background.  Running
    28  ``kubectl get pods,svc`` will inform you about the progress of the operation.
    29  Each pod will go through several states until it reaches ``Running`` at which
    30  point the pod is ready.
    31  
    32  .. code-block:: shell-session
    33  
    34      $ kubectl get pods,svc
    35      NAME                             READY   STATUS    RESTARTS   AGE
    36      pod/deathstar-6fb5694d48-5hmds   1/1     Running   0          107s
    37      pod/deathstar-6fb5694d48-fhf65   1/1     Running   0          107s
    38      pod/tiefighter                   1/1     Running   0          107s
    39      pod/xwing                        1/1     Running   0          107s
    40  
    41      NAME                 TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
    42      service/deathstar    ClusterIP   10.96.110.8   <none>        80/TCP    107s
    43      service/kubernetes   ClusterIP   10.96.0.1     <none>        443/TCP   3m53s
    44  
    45  Each pod will be represented in Cilium as an :ref:`endpoint` in the local cilium agent. 
    46  We can invoke the ``cilium`` tool inside the Cilium pod to list them (in a single-node installation
    47  ``kubectl -n kube-system exec ds/cilium -- cilium-dbg endpoint list`` lists them all, but in a 
    48  multi-node installation, only the ones running on the same node will be listed):
    49  
    50  .. code-block:: shell-session
    51  
    52      $ kubectl -n kube-system get pods -l k8s-app=cilium
    53      NAME           READY   STATUS    RESTARTS   AGE
    54      cilium-5ngzd   1/1     Running   0          3m19s
    55  
    56      $ kubectl -n kube-system exec cilium-5ngzd -- cilium-dbg endpoint list
    57      ENDPOINT   POLICY (ingress)   POLICY (egress)   IDENTITY   LABELS (source:key[=value])                       IPv6   IPv4         STATUS
    58                 ENFORCEMENT        ENFORCEMENT
    59      232        Disabled           Disabled          16530      k8s:class=deathstar                                      10.0.0.147   ready
    60                                                                 k8s:io.cilium.k8s.policy.cluster=default
    61                                                                 k8s:io.cilium.k8s.policy.serviceaccount=default
    62                                                                 k8s:io.kubernetes.pod.namespace=default
    63                                                                 k8s:org=empire
    64      726        Disabled           Disabled          1          reserved:host                                                         ready
    65      883        Disabled           Disabled          4          reserved:health                                          10.0.0.244   ready
    66      1634       Disabled           Disabled          51373      k8s:io.cilium.k8s.policy.cluster=default                 10.0.0.118   ready
    67                                                                 k8s:io.cilium.k8s.policy.serviceaccount=coredns
    68                                                                 k8s:io.kubernetes.pod.namespace=kube-system
    69                                                                 k8s:k8s-app=kube-dns
    70      1673       Disabled           Disabled          31028      k8s:class=tiefighter                                     10.0.0.112   ready
    71                                                                 k8s:io.cilium.k8s.policy.cluster=default
    72                                                                 k8s:io.cilium.k8s.policy.serviceaccount=default
    73                                                                 k8s:io.kubernetes.pod.namespace=default
    74                                                                 k8s:org=empire
    75      2811       Disabled           Disabled          51373      k8s:io.cilium.k8s.policy.cluster=default                 10.0.0.47    ready
    76                                                                 k8s:io.cilium.k8s.policy.serviceaccount=coredns
    77                                                                 k8s:io.kubernetes.pod.namespace=kube-system
    78                                                                 k8s:k8s-app=kube-dns
    79      2843       Disabled           Disabled          16530      k8s:class=deathstar                                      10.0.0.89    ready
    80                                                                 k8s:io.cilium.k8s.policy.cluster=default
    81                                                                 k8s:io.cilium.k8s.policy.serviceaccount=default
    82                                                                 k8s:io.kubernetes.pod.namespace=default
    83                                                                 k8s:org=empire
    84      3184       Disabled           Disabled          22654      k8s:class=xwing                                          10.0.0.30    ready
    85                                                                 k8s:io.cilium.k8s.policy.cluster=default
    86                                                                 k8s:io.cilium.k8s.policy.serviceaccount=default
    87                                                                 k8s:io.kubernetes.pod.namespace=default
    88                                                                 k8s:org=alliance
    89  
    90  
    91  Both ingress and egress policy enforcement is still disabled on all of these pods because no network
    92  policy has been imported yet which select any of the pods.