{"id":18319629,"url":"https://github.com/mycloudlab/network-policy-demo-apps","last_synced_at":"2026-03-17T22:10:05.582Z","repository":{"id":95758027,"uuid":"129911002","full_name":"mycloudlab/network-policy-demo-apps","owner":"mycloudlab","description":"This repository is a demonstration of the functionalities of kubernetes network policies together with egress network policy (open vSwitch).","archived":false,"fork":false,"pushed_at":"2018-04-26T01:52:26.000Z","size":109,"stargazers_count":4,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-09-13T21:24:05.810Z","etag":null,"topics":["microsegmentation","networkpolicy","openshift","ovs"],"latest_commit_sha":null,"homepage":"https://mycloudlab.github.io","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mycloudlab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-04-17T13:44:20.000Z","updated_at":"2025-09-11T23:23:15.000Z","dependencies_parsed_at":"2023-05-21T23:00:26.810Z","dependency_job_id":null,"html_url":"https://github.com/mycloudlab/network-policy-demo-apps","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mycloudlab/network-policy-demo-apps","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mycloudlab%2Fnetwork-policy-demo-apps","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mycloudlab%2Fnetwork-policy-demo-apps/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mycloudlab%2Fnetwork-policy-demo-apps/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mycloudlab%2Fnetwork-policy-demo-apps/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mycloudlab","download_url":"https://codeload.github.com/mycloudlab/network-policy-demo-apps/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mycloudlab%2Fnetwork-policy-demo-apps/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30633240,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-17T17:32:55.572Z","status":"ssl_error","status_checked_at":"2026-03-17T17:32:38.732Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["microsegmentation","networkpolicy","openshift","ovs"],"created_at":"2024-11-05T18:13:48.514Z","updated_at":"2026-03-17T22:10:05.567Z","avatar_url":"https://github.com/mycloudlab.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# network-policy-demo-apps\n\nthis repository is a demonstration of the functionalities of kubernetes network policies together with egress network policy (open vSwitch).\n\nis composed of 2 applications:\n\n* struts-netpol-demo: struts application to demonstrate the need for network security. This application contains a known security vulnerability [CVE-2013-2251](http://cvedetails.com/cve/cve-2013-2251).\n\n* microservices: we also have an application that is composed of 5 microservices, app-angular-network-policy-demo-ui (user interface), app-node-bff-web, backend for frontend that aggregates the calls, app-random-value that only returns a random value, app-node-twitter-reader, that is tweets from an informed search, app-node-get-time-server that reads the date of the server ntp.br, via date header (http).\n\nfor purposes of simplification we use a Dockerfile per project for building projects. Pre-built images already exist on hub.docker.com.\n\nImportant: For the correct test of the functionality shown below, a server with openshift 3.9+ installed with option **os_sdn_network_plugin_name ='redhat/openshift-ovs-networkpolicy'** is required.\n\nThis recipe does not support **oc cluster up**\n\n## deploy on openshift\n\n```bash\n# create microservices project\noc new-project net-pol-ms-demo\n\n# deploy random-value app\noc new-app --name=random-value --docker-image=mycloudlab/net-pol-demo-random-value\n\n# deploy time-server app\noc new-app --name=time-server --docker-image=mycloudlab/net-pol-demo-time-server\n\n# deploy time-server app\noc new-app --name=twitter-reader --docker-image=mycloudlab/net-pol-demo-twitter-reader \\\n-e TWITTER_CONSUMER_KEY=\u003cyour twitter consumer key\u003e \\\n-e TWITTER_CONSUMER_SECRET=\u003cyour twitter consumer secret\u003e \\\n-e TWITTER_ACCESS_TOKEN_KEY=\u003cyour twitter access token key\u003e \\\n-e TWITTER_ACCESS_TOKEN_SECRET=\u003cyour twitter token secret\u003e \n\n# deploy bff-web app\noc new-app --name=bff-web --docker-image=mycloudlab/net-pol-demo-bff-web  \\\n-e TWEETS_SERVICE_URL=http://twitter-reader:3000 \\\n-e RANDOM_SERVICE_URL=http://random-value:8000 \\\n-e DATETIME_SERVICE_URL=http://time-server:3000 \n\n# deploy angular ui\noc new-app --name=ui --docker-image=mycloudlab/net-pol-demo-ui  \\\n-e BFF_URL=http://bff-web:3000 \n\n# expose ui\noc expose service ui \n\n\n# create new struts project\noc new-project struts-legacy-demo\n\n# deploy vunerable struts app (CVE-2013-2251)\noc new-app --name=netpol-struts-demo --docker-image=mycloudlab/net-pol-demo-struts-app\n\n# expose app\noc expose service netpol-struts-demo \n```\n\n\n## network policies\n\nbefore apply network policies add label to default namespace. (requires admin)\n\n```bash\noc label namespace default name=default\n```\n\n\n```bash\n# deny all ingress traffic for all pods\noc create -n net-pol-ms-demo -f - \u003c\u003cEOF\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n  name: default-deny-all\nspec:\n  podSelector: {}\n  ingress: []\nEOF\n\n# allow openshift default namespace to ui port 4200, for router communication \noc create -n net-pol-ms-demo -f - \u003c\u003cEOF\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n  name: allow-router-to-ui\nspec:\n  podSelector:\n    matchLabels:\n      app: ui\n  ingress:\n  - from:\n    - namespaceSelector:\n        matchLabels:\n          name: default\n    ports:\n    - protocol: TCP\n      port: 4200\nEOF\n\n# allow ui to bff on port 3000\noc create -n net-pol-ms-demo -f - \u003c\u003cEOF\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n  name: allow-ui-to-bff-web\nspec:\n  podSelector:\n    matchLabels:\n      app: bff-web\n  ingress:\n  - from:\n    - podSelector: \n        matchLabels:\n          app: ui\n    ports:\n    - port: 3000 \n      protocol: TCP\nEOF\n\n# allow bff-web to random-value on port 8000\noc create -n net-pol-ms-demo -f - \u003c\u003cEOF\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n  name: allow-bff-web-to-random-value\nspec:\n  podSelector:\n    matchLabels:\n      app: random-value\n  ingress:\n  - from:\n    - podSelector: \n        matchLabels:\n          app: bff-web\n    ports:\n    - port:  8000\n      protocol: TCP\nEOF\n\n# allow bff to time-server on port 3000\noc create -n net-pol-ms-demo -f - \u003c\u003cEOF\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n  name: allow-bff-web-to-time-server\nspec:\n  podSelector:\n    matchLabels:\n      app: time-server\n  ingress:\n  - from:\n    - podSelector: \n        matchLabels:\n          app: bff-web\n    ports:\n    - port:  3000\n      protocol: TCP\nEOF\n\n# allow bff to twitter-reader on port 3000\noc create -n net-pol-ms-demo -f - \u003c\u003cEOF\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n  name: allow-bff-web-to-twitter-reader\nspec:\n  podSelector:\n    matchLabels:\n      app: twitter-reader\n  ingress:\n  - from:\n    - podSelector: \n        matchLabels:\n          app: bff-web\n    ports:\n    - port:  3000\n      protocol: TCP\nEOF\n```\n\n\n## egress network policy (open vSwitch)\n\n```bash\n# create egress policy\noc create -n net-pol-ms-demo -f - \u003c\u003cEOF\napiVersion: network.openshift.io/v1\nkind: EgressNetworkPolicy\nmetadata:\n  name: default\nspec:\n  egress:\n    - to:\n        dnsName: ntp.br\n      type: Allow\n    - to:\n        dnsName: api.twitter.com\n      type: Allow\n    - to:\n        dnsName: twitter.com\n      type: Allow\n    - to:\n        cidrSelector: 0.0.0.0/0\n      type: Deny\nEOF\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmycloudlab%2Fnetwork-policy-demo-apps","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmycloudlab%2Fnetwork-policy-demo-apps","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmycloudlab%2Fnetwork-policy-demo-apps/lists"}