Configure Networking
Configure network connections for your VFX Cloud Studio
Connectivity between Kubernetes components and the Internet is managing by Kubernetes Network Policies.
For the following example implementation, a simple group of Network Policies are created, which designate user groups with different access levels to both internal and external resources.
Network Policies are specified in YAML manifests, and are deployed to the namespace using
kubectl:$ kubectl apply -f <path/to/manifest>
The first example Network Policy is called
artist, and defines network permissions for the artist user group (user.group).This Network Policy uses a Pod Selector, which matches any Pod that has the label
user.group: artist. The Policy specifies that it allows inbound traffic from the local namespace on ports 3389, 4172, 60443 and 443.The Policy additionally specifies that it allows
artist machines to send outbound traffic to any destination within the same namespace using ports 139 and 445.Note
Network Policies are additive - any IP range or port not explicitly included in the Policy will not be accessible.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: artist
spec:
podSelector:
matchLabels:
user.group: artist
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: tenant-sta-vfx1-reference
ports:
- protocol: TCP
port: 3389
- protocol: TCP
port: 4172
- protocol: TCP
port: 60443
- protocol: TCP
port: 443
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: tenant-sta-vfx1-reference
ports:
- protocol: TCP
port: 139
- protocol: TCP
port: 445
The Policy prevents connections that originate outside the cluster from reaching the internal machines, except on port
3389, which is an RDP port that is left open to provide admin access for troubleshooting machines.Tip
The Network Policy Editor is a visual, interactive tool that assists composing these policies by working with diagrams like the example below.
Network Policy Editor diagram
If the Network Policy were to be stricter, it might only allow traffic that originates from the Active Directory Samba and from Teradici Connection Manager. This would prevent any external or internal resource from connecting to our machines without going through the connection manager and the Leostream connection broker.
Such a policy would look like this:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: artist
spec:
podSelector:
matchLabels:
user.group: artist
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: teradici-gateway-teridici-conn-gateway
ports:
- protocol: TCP
port: 3389
- protocol: TCP
port: 4172
- protocol: TCP
port: 60443
- protocol: TCP
port: 443
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: samba-ad-samba-ad
ports:
- protocol: TCP
port: 139
- protocol: TCP
port: 445
Additional Resources
To apply a Policy to a relevant Virtual Workstations, first deploy them using
kubectl apply:$ kubectl apply -f <path/to/manifest>
This ensures that only those machines that are labelled as
artist machines will be affected by the Policy.Next, navigate to the Virtual Server management page. From here, Virtual Servers (Virtual Workstations) can be stopped, edited, and then started again. Stop the running artist machines, then edit the YAML manifest by clicking the Edit button and opening the YAML tab.
Then, open the YAML editor by clicking the EDIT YAML tab on the right-hand side of the screen, and add the following
label to the manifest:labels:
user.group: "artist"
Start the machines once again. After restarting, the machines should contain the
artist label, and the Network Policy should be applied.Now, a different Network Policy is created for administrators.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: administration
spec:
podSelector:
matchLabels:
user.group: administration
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 3389
- protocol: TCP
port: 4172
- protocol: TCP
port: 60443
- protocol: TCP
port: 443
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
This policy prohibits administrators from accessing the Samba storage, but allows them to connect to anything else.
It is suggested that if you add a wide open network policy, pay close attention to whether or not a public IP address is assigned to avoid un-intended connections from external actors.
The final Network Policy to create is one that allows internal infrastructure to be reachable by other resources. A wide open egress policy is also added, so that Services can connect to resources within the namespace or on the Internet.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: infra
spec:
podSelector:
matchLabels:
user.group: infra
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: tenant-sta-vfx1-reference
egress:
- {}
Note
Should an open egress Policy be deployed, pay close attention to whether or not a public IP addresses are assigned to avoid unintended connections from external actors.
To learn more about firewalls for Virtual Servers, refer to CoreWeave Cloud Native Networking (CCNN): Network Policies (Firewalls).
CoreWeave Cloud Native Networking (CCNN) is the provided networking solution for VFX Studios, and configuring Network Policies is the standard method for network security within CCNN.
At this time, CCNN does not offer a managed intrusion detection solution (IDS) or intrusion prevention system (IPS).
Last modified 4mo ago