[Network Policies Resource Quotas HPA] in an EKS Cluster

·

3 min read

K8S ARCHITECTURE

Defining Network Policies

1. ArgoCD Network Policy

  • Purpose: Restrict traffic within the ArgoCD namespace and allow external traffic from a specific CIDR block.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: argocd-policy
  namespace: argocd
spec:
  podSelector:
    matchLabels:
      app: argocd
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: argocd
    - ipBlock:
        cidr: 10.0.0.0/16 
  egress:
  - to:
    - ipBlock:
        cidr: 10.10.0.0/16
  • Ingress: Allows inbound traffic from the ArgoCD namespace and the 10.0.0.0/16 IP range.

  • Egress: Allows outbound traffic to the 10.10.0.0/16 IP range.

2. Backend Network Policy

  • Purpose: Permit traffic from the frontend namespace and allow access to the database.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-policy
  namespace: spd-be-ns
spec:
  podSelector:
    matchLabels:
      app: spd-be-pod  
  policyTypes:
  - Ingress  
  - Egress  
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: spd-fe-ns  
  egress:
  - to:
    - ipBlock:
        cidr: 10.10.0.0/16 
    ports:
    - protocol: TCP
      port: 3306
  • Ingress: Allows inbound traffic from the frontend namespace (spd-fe-ns).

  • Egress: Allows outbound traffic to TCP port 3306 (database access) within the 10.10.0.0/16 IP range.

3. Frontend Network Policy

  • Purpose: Allow external access to the frontend service and outbound traffic to the backend namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend-policy
  namespace: spd-fe-ns
spec:
  podSelector:
    matchLabels:
      app: spd-fe-pod  
  policyTypes:
  - Ingress  
  - Egress  
  ingress:
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0  
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: spd-be-ns  
    - ipBlock:
        cidr: 0.0.0.0/0
  • Ingress: Allows inbound traffic from all external sources (0.0.0.0/0).

  • Egress: Allows outbound traffic to the backend namespace (spd-be-ns) and all external destinations.

4. Kafka Network Policy

  • Purpose: Control access to the Kafka cluster and restrict external traffic.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: kafka-policy
  namespace: kafka
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: kafka
      app.kubernetes.io/name: kafka
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: kafka-ui 
    - namespaceSelector:
        matchLabels:
          name: amazon-cloudwatch
  - ports:
    - port: 9092
      protocol: TCP
    - port: 9094
      protocol: TCP
    - port: 9093
      protocol: TCP
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
  • Ingress: Allows inbound traffic from Kafka UI and Amazon CloudWatch namespaces on specific Kafka ports.

  • Egress: Allows outbound traffic to all external destinations.


Defining Resource Quotas and HPA

1. Resource Quota Configuration

  • Purpose: Limit the resources available within each namespace to manage cluster resources efficiently.
apiVersion: v1
kind: ResourceQuota
metadata:
  name: spd-fe-quota
  namespace: spd-fe-ns
spec:
  hard:
    pods: "10"
    requests.cpu: "2"
    requests.memory: "4Gi"
    limits.cpu: "4"
    limits.memory: "8Gi"
---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: spd-be-quota
  namespace: spd-be-ns
spec:
  hard:
    pods: "10"
    requests.cpu: "2"
    requests.memory: "4Gi"
    limits.cpu: "4"
    limits.memory: "8Gi"
  • Key Points:

    • Each namespace can run a maximum of 10 Pods.

    • Specifies the CPU and memory resources that can be requested and used.

2. Horizontal Pod Autoscaler (HPA) Configuration

  • Purpose: Automatically adjust the number of Pods based on CPU utilization to enhance scalability.
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: spd-fe-hpa
  namespace: spd-fe-ns
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: spd-fe-deploy
  minReplicas: 1
  maxReplicas: 5
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 60
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: spd-be-hpa
  namespace: spd-be-ns
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: spd-be-deploy
  minReplicas: 1
  maxReplicas: 5
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 60
  • Key Points:

    • minReplicas and maxReplicas: Define the minimum and maximum number of Pod replicas.

    • metrics: Triggers scaling based on CPU utilization, targeting an average of 60%.