Alauda Container Platform

Control Virtual Machine Network Requests Through Network Policy

The platform's virtual machine solution is implemented based on the open-source component KubeVirt, which actually runs within Pods. By utilizing the functionality of Network Policies, it is possible to control the incoming and outgoing requests of virtual machines.

TOC

ProcedureResult VerificationStep One: Create a Virtual Machine and Network Policy Allowing All Traffic ThroughStep Two: Update Network Policy to Remove www.example.com from Whitelist

Procedure

  1. Enter Container Platform.

  2. In the left navigation bar, click Network > Network Policies.

  3. Click Create Network Policy.

  4. Configure the following parameters as needed.

    ParameterDescription
    Association Method
    • Compute Component: Select the target compute component as needed; it is recommended to select All as the target compute component.
    • Label Selector: Match the Pods based on their labels.
    Direction
    • Ingress: Requests sent from the external to the Pod.
    • Egress: Requests sent from the Pod to the external; select this option if prohibiting the virtual machine from requesting a certain external address.
    ProtocolChoose between TCP or UDP.

    Note:
    • When using domain names in the virtual machine to request external services, it is necessary to add a UDP protocol whitelist because DNS protocol uses UDP.
    • The form does not support configuring the ICMP protocol; once the whitelist rules are enabled, ICMP protocol will be disabled, which will result in the inability to perform Ping operations.
    Access PortsSpecify which ports' traffic can be ingress or egress. If this field is left empty, traffic through all ports will be allowed by default.

    Note: It is necessary to allow ports 1053 and 53 for both UDP and TCP protocols here to permit DNS traffic egress; otherwise, domain name resolution will fail.
    Remote TypeSpecify the allowed remote types for access. Options include: compute component, namespace, and IP segments.
    Exclude RemoteWhen the remote type is IP Segment, remove the specified IP from the whitelist (i.e., prohibit access). Single IP can be removed when input as IP/32.

    Note: This field only supports inputting IPs; if the corresponding IP of a domain name is unclear, use the command curl -vvv <domain> to request the domain and obtain the corresponding IP address from the returned information.

  5. Click Create.

Result Verification

This document verifies the setup using a virtual machine to access www.example.com.

Step One: Create a Virtual Machine and Network Policy Allowing All Traffic Through

  1. Create the virtual machine, please refer to Create Virtual Machine for detailed steps.

  2. Configure the network policy in the command namespace of the virtual machine, adding whitelist rules for both TCP and UDP protocols, with the following parameters:

    • Whitelist for TCP Protocol:

      ParameterDescription
      Association MethodSelect Compute Component.
      Target Compute ComponentSelect All.
      DirectionSelect Egress.
      ProtocolSelect TCP.
      Remote TypeSelect IP Segment
      RemoteEnter 0.0.0.0/0, indicating that all traffic is allowed to egress.

    • Whitelist Rules for UDP Protocol:

      ParameterDescription
      DirectionSelect Egress.
      ProtocolSelect UDP.
      Remote TypeSelect IP Segment
      RemoteEnter 0.0.0.0/0, indicating that all traffic is allowed to egress.

  3. After the network policy is created, log in to the virtual machine and execute the following command to request www.example.com.

    curl www.example.com

  4. The request is successful.

Step Two: Update Network Policy to Remove www.example.com from Whitelist

  1. Execute the following command to obtain the IP address for www.example.com, resulting in the IP address 93.184.215.14.

    curl -vvv www.example.com

  2. Update the network policy created in Step One, with the following updated parameters:

    ParameterDescription
    Exclude RemoteIn the TCP protocol whitelist rules, fill in the exclude remote parameter with 93.184.215.14/32, indicating that IP address 93.184.215.14 is removed from the whitelist.

  3. After updating the network policy, log in to the virtual machine and execute the following command to request www.example.com.

    curl www.example.com

  4. The request times out, indicating that the exclude remote functionality is effective.