Advanced Networking and Security

Introduction

With the security audit underway, our VM-based application architecture is becoming more distributed, spanning multiple namespaces, projects, and even different cloud environments. Our VMs and new containerized services need to communicate seamlessly, and we need clear visibility and precise control over network traffic, especially as managing both virtual machines (VMs) and containers increases complexity in ensuring efficient and secure operations. In this section we will learn more about visualizing network traffic flows the the Network Observability Operator, and how to shape and secure our network by implementing Network Policies.

Examining Network Traffic with the Network Observability Operator

<WRITE THIS SECTION>

Configure Network Policies to Manage VM Traffic

In Red Hat OpenShift administrators can configure Network Policies to further secure their environments, and the virtual guests that run there.

In this portion of the lab we are going to configure a virtual machine and then apply a network policy that prevents its egress to the world.

Configure Network Policies to Manage Cluster Egress

In some secure environments network traffic is not allowed to leave the cluster without first passing through a proxy or some other secure gateway. Likewise, many network configurations allow for cluster egress by default. In this section of the lab we will be configuring a network policy that secures our cluster by blocking egress to outside websites.

Confirm Network Egress on Virtual Machines

  1. On the left side navigation menu, click on Virtualization then click VirtualMachines, and select the rhel9-vm1 virtual machine under the vms-aap-day2 project in the center column.

    28 view vm
    Figure 1. View VM

  2. Click on the Console tab and use the provided credentials, and the built in copy/paste functionality to authenticate to the VM.

    29 login vm
    Figure 2. Login to VM
    You may see a popup that asks you to enable the copy/paste functionality. If prompted click Allow.

  3. Once you are logged in, execute the following command to start an outward bound ping to Google:

    ping www.google.com
    30 ping site
    Figure 3. Ping Google

  4. Press Control+C to stop the ping.

  5. From the left side navigation menu, click on Workloads and then Pods, and then click on the virt-launcher pod for the one that represents the VM rhel9-vm1 to view the pod details.

    31 select pod
    Figure 4. Select Pod
    Pod names are randomly generated, so yours will most likely not match the screenshot above.

  6. On the Pod details page, click the Edit option on the Labels section.

    32 pod details
    Figure 5. Edit Pod Details

  7. An Edit labels window will appear, you can click into the center box and add a label for app=network-policy-deny, press the Enter key to commit it, and then click the Save button.

    33 pod labels
    Figure 6. Edit Pod Labels

  8. Repeat the same process for the rhel9-vm2 virtual machine.

Create the Network Policy

  1. From the left side navigation menu, click on Networking and then click on NetworkPolicies, then click on the Create NetworkPolicy button in the center of the screen.

    34 network policy
    Figure 7. Network Policy

  2. In NetworkPolicies fill out the following fields:

    • Policy name: ping-egress-deny

    • Key: app

    • Value: network-policy-deny

    • Deny all egress traffic checkbox: checked

      35 network policy configure
      Figure 8. Configure Network Policy

  3. With the values filled out, you can click the affected pods link under the Pod selector section to show which pods are affected by this policy. Once you are satisfied with your settings you can click the Create button.

    36 affected pods
    Figure 9. Affected Pods

  4. With the policy created, go test it out.

Confirm the Effects of the Network Policy on the VM.

  1. Return to the console of the rhel9-vm1 virtual machine to test our policy.

  2. Using the left side navigation menu, click on Virtualization, then VirtualMachines, and select rhel9-vm1 from the center column.

  3. Click the Console tab of the VM, you should still be logged in from before.

  4. Copy and paste the following syntax to test out the new Network Policy:

    ping www.google.com
    37 ping site deny
    Figure 10. Egress Blocked

  5. Egress from the cluster is completely blocked, including DNS lookups.

  6. Once you have completed this exercise, return to Networking and NetworkPolicies and delete the ping-egress-deny policy using the three-dot menu on the right, and confirming in the popup box.

    38 delete policy
    Figure 11. Delete Policy

Configure Network Policies to Manage VM Traffic Between Projects

<WRITE THIS SECTION>

Summary

In this section we learned how to make use of the Network Observability Operator to scan our cluster and visualize traffic patterns in and out. We then learned how to create and apply a simple network policy to block egress traffic from a virtual machine to a public website, and as an advanced example we learned to shape traffic between virtual guests and projects on the same cluster. Overall Network Policies are quite robust, and allow you to implement microsegmentation policies helping to shape the traffic flow both inside and outside of your cluster, between virtual guests in different or even the same OpenShift project.