diff --git a/README.md b/README.md index 4cc814b4a7..04041eac2f 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ This repository contains container networking services and plugins for Linux and * [Azure CNI network and IPAM plugins](docs/cni.md) for Kubernetes. * [Azure CNM (libnetwork) network and IPAM plugins](docs/cnm.md) for Docker Engine. **(MAINTENANCE MODE)** -* [Azure NPM - Kubernetes Network Policy Manager](docs/npm.md) (Supports only linux for now). +* [Azure NPM - Kubernetes Network Policy Manager](docs/npm.md) (Linux and (preview) Windows Server 2022) The `azure-vnet` network plugins connect containers to your [Azure VNET](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview), to take advantage of Azure SDN capabilities. The `azure-vnet-ipam` IPAM plugins provide address management functionality for container IP addresses allocated from Azure VNET address space. diff --git a/docs/npm.md b/docs/npm.md index 96d7d8ab62..ab0dfec333 100644 --- a/docs/npm.md +++ b/docs/npm.md @@ -4,20 +4,29 @@ `azure-npm` Network Policy plugin implements the [Kubernetes Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) -The plugin is available on Linux platform. Windows support is planned. +The plugin is available on Linux and (preview) Windows Server 2022. Azure-NPM serves as a distributed firewall for the Kubernetes cluster, and it can be easily controlled by `kubectl`. +## Documentation +1. [Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/use-network-policies) +2. [Monitor and Visualize Network Configurations with Azure NPM](https://learn.microsoft.com/en-us/azure/virtual-network/kubernetes-network-policies#monitor-and-visualize-network-configurations-with-azure-npm) + ## Install +Specify `--network-policy=azure` when creating an AKS cluster. For more information, see the [Microsoft Docs](https://learn.microsoft.com/en-us/azure/aks/use-network-policies#create-an-aks-cluster-and-enable-network-policy). +### Manual Installation Running the command below will bring up one azure-npm instance on each Kubernetes node. ``` +# linux kubectl apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/deploy/npm/azure-npm.yaml +# windows +kubectl apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/examples/windows/azure-npm.yaml ``` Now you can secure your Kubernetes cluster with Azure-NPM by applying Kubernetes network policies. ## Build - +### Linux `azure-npm` can be built directly from the source code in this repository. ``` make azure-npm @@ -29,16 +38,39 @@ The second command builds the `azure-npm` docker image. The third command builds the `azure-npm` binary and place it in a tar archive. The binaries are placed in the `output` directory. -## Usage +### Windows +``` +$env:ACN_PACKAGE_PATH = "github.com/Azure/azure-container-networking" +$env:NPM_AI_PATH = "$env:ACN_PACKAGE_PATH/npm.aiMetadata" +$env:NPM_AI_ID = "1234abcd-1234-abcd-1234-12345678abcd" +$env:VERSION = "0.0.0" +$env:REPO = "mcr.microsoft.com/azure-npm:" # include colon at end +$env:IMAGE = "$env:REPO$env:VERSION" +docker build ` + -f npm/windows.Dockerfile ` + -t $env:IMAGE ` + --build-arg VERSION=$env:VERSION ` + --build-arg NPM_AI_PATH=$env:NPM_AI_PATH ` + --build-arg NPM_AI_ID=$env:NPM_AI_ID ` + . +docker push $env:IMAGE +echo $env:IMAGE +``` -Microsoft docs has a detailed step by step example on how to use Kubernetes network policy. -1. [Deny all inbound traffic to a pod](https://docs.microsoft.com/en-us/azure/aks/use-network-policies#deny-all-inbound-traffic-to-a-pod) -2. [Allow inbound traffic based on a pod label](https://docs.microsoft.com/en-us/azure/aks/use-network-policies#allow-inbound-traffic-based-on-a-pod-label) -3. [Allow traffic only from within a defined namespace](https://docs.microsoft.com/en-us/azure/aks/use-network-policies#allow-traffic-only-from-within-a-defined-namespace) +## Usage +[Microsoft Docs](https://learn.microsoft.com/en-us/azure/aks/use-network-policies#verify-network-policy-setup) has a detailed step by step example on how to use Kubernetes network policy. ## Troubleshooting - -`azure-npm` translates Kubernetes network policies into a set of `iptables` rules under the hood. When `azure-npm` isn't working as expected, try to **delete all networkpolicies and apply them again**. Also, a good practice is to merge all network policies targeting the same set of pods/labels into one yaml file. This way, operators can keep the minimum number of network policies and makes it easier for operators to troubleshoot. + +### Linux +NPM adds firewall rules via `iptables` and `ipset`. You can examine the configuration on a given node with: +- `kubectl exec -it -n kube-system $npmPod -- iptables -vnL` +- `kubectl exec -it -n kube-system $npmPod -- ipset -L` + +### Windows +NPM adds firewall rules via HNS. You can examine the configuration on a given node with: +- ACLs applied on Pod Endpoints: `kubectl exec -n kube-system $npmWinPod -- Get-HNSEndpoint` +- SetPolicies are like ipsets: `(Get-HNSNetwork | ? Name -Like Azure).Policies`