Skip to content

Commit e2fbf14

Browse files
Merge pull request #270532 from chasewilson/chase/netpol_reorder
Move Uninstall NetPol to lower in doc
2 parents 028dcd6 + 6349a75 commit e2fbf14

File tree

1 file changed

+34
-33
lines changed

1 file changed

+34
-33
lines changed

articles/aks/use-network-policies.md

Lines changed: 34 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ titleSuffix: Azure Kubernetes Service
44
description: Learn how to secure traffic that flows in and out of pods by using Kubernetes network policies in Azure Kubernetes Service (AKS).
55
ms.topic: article
66
ms.custom: devx-track-azurecli
7-
ms.date: 02/12/2024
7+
ms.date: 03/28/2024
88
---
99

1010
# Secure traffic between pods by using network policies in AKS
@@ -13,32 +13,6 @@ When you run modern, microservices-based applications in Kubernetes, you often w
1313

1414
This article shows you how to install the network policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS. Network policies could be used for Linux-based or Windows-based nodes and pods in AKS.
1515

16-
## Before you begin
17-
18-
You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
19-
20-
### Uninstall Azure Network Policy Manager or Calico (Preview)
21-
Requirements:
22-
- aks-preview Azure CLI extension version 0.5.166 or later. See [Install the aks-preview Azure CLI extension](#install-the-aks-preview-azure-cli-extension).
23-
- Azure CLI version 2.54 or later
24-
- AKS REST API version 2023-08-02-preview or later
25-
26-
Notes:
27-
- The uninstall process does _not_ remove Custom Resource Definitions (CRDs) and Custom Resources (CRs) used by Calico. These CRDs and CRs all have names ending with either "projectcalico.org" or "tigera.io".
28-
These CRDs and associated CRs can be manually deleted _after_ Calico is successfully uninstalled (deleting the CRDs before removing Calico breaks the cluster).
29-
- The upgrade will not remove any NetworkPolicy resources in the cluster, but after the uninstall these policies are no longer enforced.
30-
31-
> [!WARNING]
32-
> The upgrade process triggers each node pool to be re-imaged simultaneously. Upgrading each node pool separately isn't supported. Any disruptions to cluster networking are similar to a node image upgrade or [Kubernetes version upgrade](./upgrade-cluster.md) where each node in a node pool is re-imaged.
33-
34-
To remove Azure Network Policy Manager or Calico from a cluster, run the following command:
35-
```azurecli
36-
az aks update
37-
--resource-group $RESOURCE_GROUP_NAME \
38-
--name $CLUSTER_NAME \
39-
--network-policy none
40-
```
41-
4216
## Overview of network policy
4317

4418
All pods in an AKS cluster can send and receive traffic without limitations, by default. To improve security, you can define rules that control the flow of traffic. Back-end applications are often only exposed to required front-end services, for example. Or, database components are only accessible to the application tiers that connect to them.
@@ -51,12 +25,12 @@ The network policy rules are defined as YAML manifests. Network policies can be
5125

5226
Azure provides three Network Policy engines for enforcing network policies:
5327

54-
* *Cilium* for AKS clusters that use [Azure CNI Powered by Cilium](./azure-cni-powered-by-cilium.md).
55-
* *Azure Network Policy Manager*.
56-
* *Calico*, an open-source network and network security solution founded by [Tigera][tigera].
28+
* _Cilium_ for AKS clusters that use [Azure CNI Powered by Cilium](./azure-cni-powered-by-cilium.md).
29+
* _Azure Network Policy Manager_.
30+
* _Calico_, an open-source network and network security solution founded by [Tigera][tigera].
5731

5832
Cilium is our recommended Network Policy engine. Cilium enforces network policy on the traffic using Linux Berkeley Packet Filter (BPF), which is generally more efficient than "IPTables". See more details in [Azure CNI Powered by Cilium documentation](./azure-cni-powered-by-cilium.md).
59-
To enforce the specified policies, Azure Network Policy Manager for Linux uses Linux *IPTables*. Azure Network Policy Manager for Windows uses *Host Network Service (HNS) ACLPolicies*. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as `IPTable` or `HNS ACLPolicy` filter rules.
33+
To enforce the specified policies, Azure Network Policy Manager for Linux uses Linux _IPTables_. Azure Network Policy Manager for Windows uses _Host Network Service (HNS) ACLPolicies_. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as `IPTable` or `HNS ACLPolicy` filter rules.
6034

6135

6236
## Differences between Network Policy engines: Cilium, Azure NPM, and Calico
@@ -88,6 +62,10 @@ In Windows, Azure Network Policy Manager doesn't support:
8862

8963
With Azure Network Policy Manager for Linux, we don't allow scaling beyond 250 nodes and 20,000 pods. If you attempt to scale beyond these limits, you might encounter "Out of Memory" (OOM) errors. To increase your memory limit, create a support ticket.
9064

65+
## Before you begin
66+
67+
You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
68+
9169
## Create an AKS cluster and enable network policy
9270

9371
To see network policies in action, you create an AKS cluster that supports network policy and then work on adding policies.
@@ -158,13 +136,13 @@ Register the `WindowsNetworkPolicyPreview` feature flag by using the [az feature
158136
az feature register --namespace "Microsoft.ContainerService" --name "WindowsNetworkPolicyPreview"
159137
```
160138

161-
It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command:
139+
It takes a few minutes for the status to show _Registered_. Verify the registration status by using the [az feature show][az-feature-show] command:
162140

163141
```azurecli-interactive
164142
az feature show --namespace "Microsoft.ContainerService" --name "WindowsNetworkPolicyPreview"
165143
```
166144

167-
When the status reflects *Registered*, refresh the registration of the `Microsoft.ContainerService` resource provider by using the [az provider register][az-provider-register] command:
145+
When the status reflects _Registered_, refresh the registration of the `Microsoft.ContainerService` resource provider by using the [az provider register][az-provider-register] command:
168146

169147
```azurecli-interactive
170148
az provider register --namespace Microsoft.ContainerService
@@ -385,6 +363,29 @@ Run the following command to label the `client` and verify connectivity with the
385363
kubectl label pod client -n demo app=client
386364
```
387365

366+
## Uninstall Azure Network Policy Manager or Calico (Preview)
367+
368+
Requirements:
369+
- aks-preview Azure CLI extension version 0.5.166 or later. See [Install the aks-preview Azure CLI extension](#install-the-aks-preview-azure-cli-extension).
370+
- Azure CLI version 2.54 or later
371+
- AKS REST API version 2023-08-02-preview or later
372+
373+
> [!NOTE]
374+
> - The uninstall process does _**not**_ remove Custom Resource Definitions (CRDs) and Custom Resources (CRs) used by Calico. These CRDs and CRs all have names ending with either "projectcalico.org" or "tigera.io".
375+
> These CRDs and associated CRs can be manually deleted _after_ Calico is successfully uninstalled (deleting the CRDs before removing Calico breaks the cluster).
376+
> - The upgrade will not remove any NetworkPolicy resources in the cluster, but after the uninstall these policies are no longer enforced.
377+
378+
> [!WARNING]
379+
> The upgrade process triggers each node pool to be re-imaged simultaneously. Upgrading each node pool separately isn't supported. Any disruptions to cluster networking are similar to a node image upgrade or [Kubernetes version upgrade](./upgrade-cluster.md) where each node in a node pool is re-imaged.
380+
381+
To remove Azure Network Policy Manager or Calico from a cluster, run the following command:
382+
```azurecli
383+
az aks update
384+
--resource-group $RESOURCE_GROUP_NAME \
385+
--name $CLUSTER_NAME \
386+
--network-policy none
387+
```
388+
388389
## Clean up resources
389390

390391
In this article, you created a namespace and two pods and applied a network policy. To clean up these resources, use the [kubectl delete][kubectl-delete] command and specify the resource name:

0 commit comments

Comments
 (0)