Apply Network Policy in the Kubernetes Cluster

When we deploy GenAI app on-prem like ollama with Open WebUI, we may get question: "how can we ensure our GenAI is fully processed on-prem internally and doesn't connect/go out to public services like huggingface, OpenAI or Groq?"

Simple answer maybe "just disconnect your wifi on laptop and see how it goes".

It sounds simple. But when the apps are deployed in data center, we cannot anyhow try and do something like that as it can pose risk on getting connectivity lost when we modify the firewall rules that currently connect to our end thru site-to-site VPN.

Fortunately if the apps are deployed in kubernetes cluster, this can be a relieve because there is a so called "Network Policies" in kubernetes ( https://kubernetes.io/docs/concepts/services-networking/network-policies/ ) that can be applied at namespace level without affecting the whole cluster in the case if we mistakenly apply policy with wrong rules.

This is the example of network policy yaml to block Internet to all pods in the "test" namespace:

$ vi netpol-block-internet-on-test-ns.yaml

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: block-internet-only
  namespace: test
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/8
  - to:
    - ipBlock:
        cidr: 192.168.0.0/16
  - to:
    - ipBlock:
        cidr: 172.16.0.0/20

$ kubectl create -f ./netpol-block-internet-on-test-ns.yaml

Done, all pods at "test" namespace are no longer able to access Internet anymore. If we block wrongly, we won't get disconnected from the cluster but only to the pods in that specific "test" namespace.

When that happens, just simply perform edit netpol and retest as per needed:

$ kubectl get netpol -n test
NAME                  POD-SELECTOR   AGE
block-internet-only   &ltnone&gt         5d20h

$ kubectl edit netpol -n test block-internet-only

$ kubectl get pods -n test
NAME                                     READY   STATUS    RESTARTS   AGE
virt-launcher-rhel9-test4-5x4cl          1/1     Running   0          28h
virt-launcher-ubuntu2204-lg4c5           1/1     Running   0          7d6h
web-test-7bb8d8fdc8-bwwjz                1/1     Running   0          8d
web2-test-db86ffffb-stsqq                1/1     Running   0          8d
web3-test-564d95cb8f-s8ptl               1/1     Running   0          8d
chroma-chromadb-0                        1/1     Running   0          8d
ollama-6866946df5-w5vc9                  1/1     Running   0          31h
open-webui-855594f59b-cj8v2              1/1     Running   0          8d

$ kubectl exec -it -n test ollama-6866946df5-w5vc9 -- /bin/bash
root@ollama-6866946df5-w5vc9:/# ping 8.8.8.8
bash: ping: command not found

root@ollama-6866946df5-w5vc9:/# apt update ; apt install -y iputils-ping    #(Oops, I cannot connect to Internet so I need to remove back the above netpol temporarily in order to perform this installation :))
root@ollama-6866946df5-w5vc9:/# ping 8.8.8.8   #(now here I can try to apply the netpol again and check the effect on the Internet connectivities)

Kubernetes is complicated and complex with full of yamls and command lines. But when we know how to use those yamls and command lines, it is so convenient to deploy/apply any capabilities we need them there.👍

Even Redhat has its premium product with Openshift and can simplify most of those yamls and command lines thru clicks on web-based portal, it is still not as convenient as applying/executing them thru classic terminal and "oc" command lines there. 😃

Which one do you prefer to use: 

- Typing command lines thru terminal?

- Or, clicking the link and button thru web portal?😏

Don't you know that kubectl and oc commands can perform auto-completion in the bash terminal to speed up typing the command with its parameters? 

And don't you know as well that when we install Redhat CoreOS, the oc auto-completion has already been turned-on by default on the bash shell there? 😀