DEV Community

Joseph D. Marhee
Joseph D. Marhee

Posted on

Network Policies with Canal and Flannel on K3s

Flannel is a popular Container Network Interface (CNI) addon for Kubernetes, however, it does not provide (because it is Layer 3 network focused on transport between hosts, rather than container networking with the host) robust support for NetworkPolicy resources. Now, the policy features from another popular CNI, Calico, can be imported to Flannel using Canal.

I won't talk a lot about specific NetworkPolicy in this post, but a little bit about why you'd want a NetworkPolicy controller is for things like creating policies around access to Ingresses, to or from port or IP ranges, things like that-- the sort of concerns you might have creating ACLs and security rules on a traditional network, but scriptable and templateable for Kubernetes like any other resource type.

Installing Canal requires applying a single manifest (containing the Calico controller, policy agent, and service accounts), however, because the Pod CIDR may differ (and in the case of K3s, it will be 10.42.0.0/24) from the Calico-expected default of 10.244.0.0/16, an environmental variable (CALICO_IPV4POOL_CIDR) and its accompanying value in the manifest.

You can retrieve your Pod CIDR using:

kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}
Enter fullscreen mode Exit fullscreen mode

and then modify that variable (commented out) after you download https://docs.projectcalico.org/manifests/canal.yaml.

Or use a CLI tool like sed to modify it while writing the file locally:

curl -s https://docs.projectcalico.org/manifests/canal.yaml | \
sed \
-e 's|            # - name: CALICO_IPV4POOL_CIDR|            - name: CALICO_IPV4POOL_CIDR|g' \
-e "s|            #   value: \"192.168.0.0/16\"|              value: \"$(kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}')\"|g"
Enter fullscreen mode Exit fullscreen mode

and then (or alternatively) manage this manifest however you typically might do so (in Helm chart, or have an automation tool handle this templating for you, etc.)

If you are a K3s user, conveniently, any manifests written to /var/lib/rancher/k3s/server/manifests will be applied automatically, so you can have the above simply write the file for you when provisioning your cluster:

## Applies the modified manifest to K3s, which automatically applies the contents of /var/lib/rancher/k3s/server/manifests
curl -s https://docs.projectcalico.org/manifests/canal.yaml | sed -e 's|            # - name: CALICO_IPV4POOL_CIDR|            - name: CALICO_IPV4POOL_CIDR|g' -e "s|            #   value: \"192.168.0.0/16\"|              value: \"$(kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}')\"|g" | \
tee -a /var/lib/rancher/k3s/server/manifests/canal.yaml
Enter fullscreen mode Exit fullscreen mode

after your K3s install command, if you'd like, on cluster spin-up.

Checking the status of the calico-controllers Deployment will let you know when you are ready to proceed to introduce policy objects:

kubectl get deployments -n kube-system
Enter fullscreen mode Exit fullscreen mode

Examples of common NetworkPolicy usage can be found here.

Discussion (0)