This is the companion repository to the Controlling Access To External APIs With Cilium presentation that was given at CiliumCon NA 2023 held in Chicago, IL.
This repository contains scripts and manifests that will do the following:
- Create a Kind cluster with a local registry configured, and cilium and cert-manager already installed
- Build a certificate generation docker image and push it to the local registry
- Deploy the codeserver workload, alongside an L7 Cilium Network Policy and a certificate generation Job that will generate the terminating and originating TLS certificates for the policy to use
The goal of the repo is to allow you to play around with Cilium and its flexible API and learn a little bit more about how it works, and how you could use it in your organization.
You will need the following tools installed in your computer before running the demo:
The Kind cluster can bootstrapped by running the following task at the root of the repo:
task create-clusterThis will create the Kind cluster, a local container registry, and install
cilium and cert-manager in the cluster:
After this is done, you can retrieve the kubeconfig for the cluster using the command
task get-kubeconfigwhich will create a kind-cluster.kubeconfig file that you can use to talk to
your cluster:
Feel free to play around with this cluster! When you're ready, we'll start to deploy all the resources.
Before we can create the workload and deploy the PKI material to the cluster, we need to build the container that will run the certificate generation script. To do this, we'll use the provided task:
task build-certificate-generationThis will build the image using the provided Dockerfile, and push the image to the local container registry that our cluster is connected to.
This script will create an interception certificate that is valid for the
github.com domain, although additional Subject Alternate Names (SANs) can be
added by modifying the environment variables on the Job itself.
By default, the certificates and the workloads are deployed in the students
namespace. By inspecting the so-github-access policy, you can see how it
targets our codeserver workloads, how it only allows access to the superorbital
organization in GitHub, and how it uses the originating and terminating
certificates in the same namespace. For more information on the L7 network
policies and all its features, see: https://docs.cilium.io/en/latest/security/policy/language/#l7-policy
Finally, we can deploy the certificates, the policies and the codeserver instance with the provided task command:
task installYou can port-forward the codeserver instance to your local computer by a simple kubectl command:
kubectl --kubeconfig kind-cluster.kubeconfig port-forward -n students service/codeserver-lramirez 8443:8443Which will make the codeserver UI available at http://localhost:8443/ -- try
to access that URL using your favorite browser!
Then finally, try to clone any repo that's not in the superorbital
organization and watch it be rejected:
The workloads, certificates and policy can be removed by running:
task uninstallTo clean up the cluster and the local registry:
task cleanup-cluster