Configure Networking
Configure network connections for your VFX Cloud Studio
Create Network Policies
Connectivity between Kubernetes components and the Internet is managing by Kubernetes Network Policies.
For the following example implementation, a simple group of Network Policies are created, which designate user groups with different access levels to both internal and external resources.
Network Policies are specified in YAML manifests, and are deployed to the namespace using kubectl
:
$kubectl apply -f <path/to/manifest>
For artists
The first example Network Policy is called artist
, and defines network permissions for the artist
user group (user.group
).
This Network Policy uses a Pod Selector, which matches any Pod that has the label user.group: artist
. The Policy specifies that it allows inbound traffic from the local namespace on ports 3389
, 4172
, 60443
and 443
.
The Policy additionally specifies that it allows artist
machines to send outbound traffic to any destination within the same namespace using ports 139
and 445
.
Network Policies are additive - any IP range or port not explicitly included in the Policy will not be accessible.
Click to expand - Network Policy for artists
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: artistspec:podSelector:matchLabels:user.group: artistpolicyTypes:- Ingress- Egressingress:- from:- namespaceSelector:matchLabels:kubernetes.io/metadata.name: tenant-sta-vfx1-referenceports:- protocol: TCPport: 3389- protocol: TCPport: 4172- protocol: TCPport: 60443- protocol: TCPport: 443egress:- to:- namespaceSelector:matchLabels:kubernetes.io/metadata.name: tenant-sta-vfx1-referenceports:- protocol: TCPport: 139- protocol: TCPport: 445
The Policy prevents connections that originate outside the cluster from reaching the internal machines, except on port 3389
, which is an RDP port that is left open to provide admin access for troubleshooting machines.
The Network Policy Editor is a visual, interactive tool that assists composing these policies by working with diagrams like the example below.
If the Network Policy were to be stricter, it might only allow traffic that originates from the Active Directory Samba and from Teradici Connection Manager. This would prevent any external or internal resource from connecting to our machines without going through the connection manager and the Leostream connection broker.
Such a policy would look like this:
Click to expand - Strict Network Policy for artists
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: artistspec:podSelector:matchLabels:user.group: artistpolicyTypes:- Ingress- Egressingress:- from:- podSelector:matchLabels:app.kubernetes.io/name: teradici-gateway-teridici-conn-gatewayports:- protocol: TCPport: 3389- protocol: TCPport: 4172- protocol: TCPport: 60443- protocol: TCPport: 443egress:- to:- podSelector:matchLabels:app.kubernetes.io/name: samba-ad-samba-adports:- protocol: TCPport: 139- protocol: TCPport: 445
To learn more about remotely managing VFX Studios, refer to Manage a Cloud Studio.
To apply a Policy to a relevant Virtual Workstations, first deploy them using kubectl apply
:
$kubectl apply -f <path/to/manifest>
This ensures that only those machines that are labeled as artist
machines will be affected by the Policy.
Next, navigate to the Virtual Server management page. From here, Virtual Servers (Virtual Workstations) can be stopped, edited, and then started again. Stop the running artist machines, then edit the YAML manifest by clicking the Edit button and opening the YAML tab.
Then, open the YAML editor by clicking the EDIT YAML tab on the right-hand side of the screen, and add the following label
to the manifest:
labels:user.group: "artist"
Start the machines once again. After restarting, the machines should contain the artist
label, and the Network Policy should be applied.
For administrators
Now, a different Network Policy is created for administrators.
Click to expand - Network Policy for administrators
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: administrationspec:podSelector:matchLabels:user.group: administrationpolicyTypes:- Ingress- Egressingress:- from:- ipBlock:cidr: 0.0.0.0/0ports:- protocol: TCPport: 3389- protocol: TCPport: 4172- protocol: TCPport: 60443- protocol: TCPport: 443egress:- to:- ipBlock:cidr: 0.0.0.0/0except:- 10.0.0.0/8
This policy prohibits administrators from accessing the Samba storage, but allows them to connect to anything else.
For resources
It is suggested that if you add a wide open network policy, pay close attention to whether or not a public IP address is assigned to avoid un-intended connections from external actors.
The final Network Policy to create is one that allows internal infrastructure to be reachable by other resources. A wide open egress policy is also added, so that Services can connect to resources within the namespace or on the Internet.
Click to expand - Network Policy for resources
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: infraspec:podSelector:matchLabels:user.group: infrapolicyTypes:- Ingress- Egressingress:- from:- namespaceSelector:matchLabels:kubernetes.io/metadata.name: tenant-sta-vfx1-referenceegress:- {}
Should an open egress Policy be deployed, pay close attention to whether or not a public IP addresses are assigned to avoid unintended connections from external actors.
Firewalls
To learn more about firewalls for Virtual Servers, refer to CoreWeave Cloud Native Networking (CCNN): Network Policies (Firewalls).
CoreWeave Cloud Native Networking (CCNN) is the provided networking solution for VFX Studios, and configuring Network Policies is the standard method for network security within CCNN.
At this time, CCNN does not offer a managed intrusion detection solution (IDS) or intrusion prevention system (IPS).