= Kubernetes - Enforcing Network Security Policies with Weave Net :toc: https://www.weave.works/docs/net/latest/kubernetes/kube-addon/[Weave Net] provides a program called the Weave NPC (network policy controller). The NPC runs once on every host, and routes the traffic according to the rules set up in the YAML file. Weave Net does this by talking to IPtables which is a feature of Linux. At the top level forward chain, a rule is injected that checks whether a WEAVE-NPC policy applies, and if it doesn’t, then the packet is dropped. If is does, and if there is an established connection, then the packet is accepted. Only packets with newly opened connections are checked. Therefore, if the packet is already on an established connection, it is accepted, and the other chains are checked. IPtables rules are updated when the policy’s ‘ipsets’ are changed on every coming and going pod. Weave begins with the source address on the network, which goes over a linux bridge. In the course of traversing that bridge, the connection is checked against the IPtables rules. This exercise will walk you through configuring Weave Net and applying a Network Policy. == Prerequisites In order to perform exercises in this chapter, you’ll need to deploy configurations to a 3 master, 5 worker kops-created cluster created with the following command-line: kops create cluster \ --name example2.cluster.k8s.local \ --master-count 3 \ --node-count 5 \ --zones ${AWS_AVAILABILITY_ZONES} \ --networking weave \ --yes This command-line implements the `--networking weave` option, which tells the cluster to use Weave Net instead of the default networking provided by kubenet. Note, the name here is `example2.cluster.k8s.local` instead of the usual `example.cluster.k8s.local` name. This is just to make sure, in case, the two clusters can coexist. To check the network configuration is using Weave Net, view the cluster configuration using the following command: kops edit cluster example2.cluster.k8s.local This will show the following fragment under `.spec`: networking: weave: {} Quit the edit without making any changes; this step was just to check. This chapter also uses some files from the repo; please `cd` into `network-policies/weavenet` to use them. === Update Weave Net to 2.1.3 in kops 1.7.x kops 1.7.x comes with Weave Net 2.0.5 out-of-the-box which does not support the latest network-policy updates for kubernetes 1.7. In order to make this work, we need to update Weave Net via: ``` $ kubectl apply -f templates/weavenet-update.yaml clusterrole "weave-net" configured serviceaccount "weave-net" unchanged clusterrolebinding "weave-net" configured role "weave-net" created rolebinding "weave-net" created daemonset "weave-net" configured ``` After this, wait for the Weave Net pods to be updated via: ``` $ kubectl rollout status ds/weave-net -n kube-system Waiting for rollout to finish: 0 out of 8 new pods have been updated... Waiting for rollout to finish: 1 out of 8 new pods have been updated... [...] Waiting for rollout to finish: 7 of 8 updated pods are available... daemon set "weave-net" successfully rolled out ```