[Network Policies Resource Quotas HPA] in an EKS Cluster
K8S ARCHITECTURE
Defining Network Policies
1. ArgoCD Network Policy
- Purpose: Restrict traffic within the ArgoCD namespace and allow external traffic from a specific CIDR block.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-policy
namespace: argocd
spec:
podSelector:
matchLabels:
app: argocd
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: argocd
- ipBlock:
cidr: 10.0.0.0/16
egress:
- to:
- ipBlock:
cidr: 10.10.0.0/16
Ingress: Allows inbound traffic from the ArgoCD namespace and the 10.0.0.0/16 IP range.
Egress: Allows outbound traffic to the 10.10.0.0/16 IP range.
2. Backend Network Policy
- Purpose: Permit traffic from the frontend namespace and allow access to the database.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: spd-be-ns
spec:
podSelector:
matchLabels:
app: spd-be-pod
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: spd-fe-ns
egress:
- to:
- ipBlock:
cidr: 10.10.0.0/16
ports:
- protocol: TCP
port: 3306
Ingress: Allows inbound traffic from the frontend namespace (spd-fe-ns).
Egress: Allows outbound traffic to TCP port 3306 (database access) within the 10.10.0.0/16 IP range.
3. Frontend Network Policy
- Purpose: Allow external access to the frontend service and outbound traffic to the backend namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
namespace: spd-fe-ns
spec:
podSelector:
matchLabels:
app: spd-fe-pod
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
egress:
- to:
- namespaceSelector:
matchLabels:
name: spd-be-ns
- ipBlock:
cidr: 0.0.0.0/0
Ingress: Allows inbound traffic from all external sources (0.0.0.0/0).
Egress: Allows outbound traffic to the backend namespace (spd-be-ns) and all external destinations.
4. Kafka Network Policy
- Purpose: Control access to the Kafka cluster and restrict external traffic.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kafka-policy
namespace: kafka
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: kafka
app.kubernetes.io/name: kafka
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: kafka-ui
- namespaceSelector:
matchLabels:
name: amazon-cloudwatch
- ports:
- port: 9092
protocol: TCP
- port: 9094
protocol: TCP
- port: 9093
protocol: TCP
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Ingress: Allows inbound traffic from Kafka UI and Amazon CloudWatch namespaces on specific Kafka ports.
Egress: Allows outbound traffic to all external destinations.
Defining Resource Quotas and HPA
1. Resource Quota Configuration
- Purpose: Limit the resources available within each namespace to manage cluster resources efficiently.
apiVersion: v1
kind: ResourceQuota
metadata:
name: spd-fe-quota
namespace: spd-fe-ns
spec:
hard:
pods: "10"
requests.cpu: "2"
requests.memory: "4Gi"
limits.cpu: "4"
limits.memory: "8Gi"
---
apiVersion: v1
kind: ResourceQuota
metadata:
name: spd-be-quota
namespace: spd-be-ns
spec:
hard:
pods: "10"
requests.cpu: "2"
requests.memory: "4Gi"
limits.cpu: "4"
limits.memory: "8Gi"
Key Points:
Each namespace can run a maximum of 10 Pods.
Specifies the CPU and memory resources that can be requested and used.
2. Horizontal Pod Autoscaler (HPA) Configuration
- Purpose: Automatically adjust the number of Pods based on CPU utilization to enhance scalability.
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: spd-fe-hpa
namespace: spd-fe-ns
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: spd-fe-deploy
minReplicas: 1
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: spd-be-hpa
namespace: spd-be-ns
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: spd-be-deploy
minReplicas: 1
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
Key Points:
minReplicas
andmaxReplicas
: Define the minimum and maximum number of Pod replicas.metrics
: Triggers scaling based on CPU utilization, targeting an average of 60%.