https://github.com/mycloudlab/network-policy-demo-apps
This repository is a demonstration of the functionalities of kubernetes network policies together with egress network policy (open vSwitch).
https://github.com/mycloudlab/network-policy-demo-apps
microsegmentation networkpolicy openshift ovs
Last synced: 3 months ago
JSON representation
This repository is a demonstration of the functionalities of kubernetes network policies together with egress network policy (open vSwitch).
- Host: GitHub
- URL: https://github.com/mycloudlab/network-policy-demo-apps
- Owner: mycloudlab
- License: apache-2.0
- Created: 2018-04-17T13:44:20.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2018-04-26T01:52:26.000Z (about 8 years ago)
- Last Synced: 2025-09-13T21:24:05.810Z (9 months ago)
- Topics: microsegmentation, networkpolicy, openshift, ovs
- Language: TypeScript
- Homepage: https://mycloudlab.github.io
- Size: 106 KB
- Stars: 4
- Watchers: 2
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# network-policy-demo-apps
this repository is a demonstration of the functionalities of kubernetes network policies together with egress network policy (open vSwitch).
is composed of 2 applications:
* struts-netpol-demo: struts application to demonstrate the need for network security. This application contains a known security vulnerability [CVE-2013-2251](http://cvedetails.com/cve/cve-2013-2251).
* microservices: we also have an application that is composed of 5 microservices, app-angular-network-policy-demo-ui (user interface), app-node-bff-web, backend for frontend that aggregates the calls, app-random-value that only returns a random value, app-node-twitter-reader, that is tweets from an informed search, app-node-get-time-server that reads the date of the server ntp.br, via date header (http).
for purposes of simplification we use a Dockerfile per project for building projects. Pre-built images already exist on hub.docker.com.
Important: For the correct test of the functionality shown below, a server with openshift 3.9+ installed with option **os_sdn_network_plugin_name ='redhat/openshift-ovs-networkpolicy'** is required.
This recipe does not support **oc cluster up**
## deploy on openshift
```bash
# create microservices project
oc new-project net-pol-ms-demo
# deploy random-value app
oc new-app --name=random-value --docker-image=mycloudlab/net-pol-demo-random-value
# deploy time-server app
oc new-app --name=time-server --docker-image=mycloudlab/net-pol-demo-time-server
# deploy time-server app
oc new-app --name=twitter-reader --docker-image=mycloudlab/net-pol-demo-twitter-reader \
-e TWITTER_CONSUMER_KEY= \
-e TWITTER_CONSUMER_SECRET= \
-e TWITTER_ACCESS_TOKEN_KEY= \
-e TWITTER_ACCESS_TOKEN_SECRET=
# deploy bff-web app
oc new-app --name=bff-web --docker-image=mycloudlab/net-pol-demo-bff-web \
-e TWEETS_SERVICE_URL=http://twitter-reader:3000 \
-e RANDOM_SERVICE_URL=http://random-value:8000 \
-e DATETIME_SERVICE_URL=http://time-server:3000
# deploy angular ui
oc new-app --name=ui --docker-image=mycloudlab/net-pol-demo-ui \
-e BFF_URL=http://bff-web:3000
# expose ui
oc expose service ui
# create new struts project
oc new-project struts-legacy-demo
# deploy vunerable struts app (CVE-2013-2251)
oc new-app --name=netpol-struts-demo --docker-image=mycloudlab/net-pol-demo-struts-app
# expose app
oc expose service netpol-struts-demo
```
## network policies
before apply network policies add label to default namespace. (requires admin)
```bash
oc label namespace default name=default
```
```bash
# deny all ingress traffic for all pods
oc create -n net-pol-ms-demo -f - <