Control Virtual Machine Network Requests Through Network Policy
The platform's virtual machine solution is implemented based on the open-source component KubeVirt, which actually runs within Pods. By utilizing the functionality of Network Policies, it is possible to control the incoming and outgoing requests of virtual machines.
TOC
Procedure
-
Enter Container Platform.
-
In the left navigation bar, click Network > Network Policies.
-
Click Create Network Policy.
-
Configure the following parameters as needed.
Parameter Description Association Method - Compute Component: Select the target compute component as needed; it is recommended to select All as the target compute component.
- Label Selector: Match the Pods based on their labels.
Direction - Ingress: Requests sent from the external to the Pod.
- Egress: Requests sent from the Pod to the external; select this option if prohibiting the virtual machine from requesting a certain external address.
Protocol Choose between TCP or UDP.
Note:- When using domain names in the virtual machine to request external services, it is necessary to add a UDP protocol whitelist because DNS protocol uses UDP.
- The form does not support configuring the ICMP protocol; once the whitelist rules are enabled, ICMP protocol will be disabled, which will result in the inability to perform Ping operations.
Access Ports Specify which ports' traffic can be ingress or egress. If this field is left empty, traffic through all ports will be allowed by default.
Note: It is necessary to allow ports 1053 and 53 for both UDP and TCP protocols here to permit DNS traffic egress; otherwise, domain name resolution will fail.Remote Type Specify the allowed remote types for access. Options include: compute component, namespace, and IP segments. Exclude Remote When the remote type is IP Segment, remove the specified IP from the whitelist (i.e., prohibit access). Single IP can be removed when input as IP/32.
Note: This field only supports inputting IPs; if the corresponding IP of a domain name is unclear, use the commandcurl -vvv <domain>to request the domain and obtain the corresponding IP address from the returned information. -
Click Create.
Result Verification
This document verifies the setup using a virtual machine to access www.example.com.
Step One: Create a Virtual Machine and Network Policy Allowing All Traffic Through
-
Create the virtual machine, please refer to Create Virtual Machine for detailed steps.
-
Configure the network policy in the command namespace of the virtual machine, adding whitelist rules for both TCP and UDP protocols, with the following parameters:
-
Whitelist for TCP Protocol:
Parameter Description Association Method Select Compute Component. Target Compute Component Select All. Direction Select Egress. Protocol Select TCP. Remote Type Select IP Segment Remote Enter 0.0.0.0/0, indicating that all traffic is allowed to egress. -
Whitelist Rules for UDP Protocol:
Parameter Description Direction Select Egress. Protocol Select UDP. Remote Type Select IP Segment Remote Enter 0.0.0.0/0, indicating that all traffic is allowed to egress.
-
-
After the network policy is created, log in to the virtual machine and execute the following command to request www.example.com.
-
The request is successful.
Step Two: Update Network Policy to Remove www.example.com from Whitelist
-
Execute the following command to obtain the IP address for www.example.com, resulting in the IP address 93.184.215.14.
-
Update the network policy created in Step One, with the following updated parameters:
Parameter Description Exclude Remote In the TCP protocol whitelist rules, fill in the exclude remote parameter with 93.184.215.14/32, indicating that IP address 93.184.215.14 is removed from the whitelist. -
After updating the network policy, log in to the virtual machine and execute the following command to request www.example.com.
-
The request times out, indicating that the exclude remote functionality is effective.