Enabling VM communication - Part 3

Scenario

The virtual machines exercise12-a and exercise12-b are operational with their IP addresses properly configured. However, the virtual machine exercise12-a is unable to access the application running on port 80 on exercise12-b.

12 break01

  • Your task is to identify and troubleshoot the issue preventing communication between the VMs. Resolve it to restore connectivity.

The steps to fix exercise12 are:

Console

  1. Login to Openshift console using the assigned user account

{openshift_console_url}

Username
userx
Password
{password}

  1. Go to virtualization → Virtual Machines - select project for the assigned user account

12 break02

  1. Verify the exercise-12-a virtual machine IP address

12 break03

  1. Verify the exercise-12-b virtual machine IP address

12 break04

  1. On VirtualizationVirtual Machines menu, click on exercise12-a virtual machine and open it’s Console Test the communication is not working on exercise12-b IP on port 80

12 break05

  1. On left side menu, click on NetworkingMultiNetworkPolicies

12 break06

  1. Click on deny-by-default MultiNetworkPolicy and check it’s YAML.

12 break07

  1. On left side menu, click on NetworkingMultiNetworkPolicies and click on allow-80-on-exercise12 and check it’s YAML. Verify that the label on from is configured as exercise12-b virtual machine

12 break08

  1. Change it to exercise12-a label and click Save.

12 break09

  1. Test the connection from exercise12-a virtual machine Console and it’s working now.

12 break10
Run grade to validate the exercise
lab grade exercise12

Command line (CLI)

  1. Login to Openshift server API using the assigned user account with oc command if not logged in.

OpenShift login command
{login_command}

  1. Go to the assigned namespace-userx

oc project namespace-userx

  1. List the virtual machines

oc get virtualmachine

  1. Getting the exercise12-a IP address

oc get vmi exercise12-a -n namespace-userx \
-o jsonpath='{.status.interfaces[1].ipAddress}'

  1. Getting the exercise12-b IP address

oc get vmi exercise12-b -n namespace-userx \
-o jsonpath='{.status.interfaces[1].ipAddress}'

  1. Try to access the application running on virtual machine exercise12-b using IP and verify that it’s not working.

Do not forget to change the IP to value defined on step 5. 
virtctl ssh lab-user@exercise12-a \
-c 'curl --silent --connect-timeout 3 http://IP'
Warning: Permanently added 'vmi/exercise12-a.namespace-userx' (ED25519) to the list of known hosts.
exit status 28

  1. Check that there are two multi-networkpolicies configured on project namespace-userx

oc get multi-networkpolicies.k8s.cni.cncf.io

  1. Verify that multi-networkpolicy deny-by-default is blocking all connections on namespace-userx

oc get multi-networkpolicies.k8s.cni.cncf.io \
deny-by-default -o yaml
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  name: deny-by-default
  namespace: namespace-userx
spec:
  ingress: []
  podSelector: {}
  policyTypes:
  - Ingress

  1. Verify that multi-networkpolicy deny-by-default is blocking all connections on namespace-userx

oc get multi-networkpolicies.k8s.cni.cncf.io \
allow-80-on-exercise12 -o yaml
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  name: allow-80-on-exercise12
  namespace: namespace-userx
spec:
  ingress:
  - from:
    - podSelector:
        matchLabels:
          vm.kubevirt.io/name: exercise12-b
    ports:
    - port: 80
      protocol: TCP
  podSelector:
    matchLabels:
      app: exercise12
  policyTypes:
  - Ingress

  1. In this network-policy there’s an error on label used on podSelector. The correct label is vm.kubevirt.io/name: exercise12-a

apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  name: allow-80-on-exercise12
  namespace: namespace-userx
spec:
  ingress:
  - from:
    - podSelector:
        matchLabels:
          vm.kubevirt.io/name: exercise12-b   <--
    ports:
    - port: 80
      protocol: TCP
  podSelector:
    matchLabels:
      app: exercise12
  policyTypes:
  - Ingress

  1. Edit the multi-networkpolicy and change the label content to exercise12-a once the virtual machine exercise12-a is the connection origin.

oc edit multi-networkpolicies.k8s.cni.cncf.io \
allow-80-on-exercise12

  1. Try to access the application running on virtual machine exercise12-b using IP and verify that it’s working now.

Do not forget to change the IP to value defined on step 5. 
virtctl ssh lab-user@exercise12-a \
-c 'curl --silent --connect-timeout 3 http://IP'
Warning: Permanently added 'vmi/exercise12-a.namespace-userx' (ED25519) to the list of known hosts.
Hey Hey Hey, it's working!!

What you learned

In this exercise, you learned that a MultiNetworkPolicy custom resource definition is used to restrict communication between two virtual machines connected with a secondary network attached.