feat: Add pattern for VPC CNI native network policy support (#1781)

Co-authored-by: Valentin Widmer <[email protected]>
Co-authored-by: Rodrigo Bersa <[email protected]>

docs/patterns/aws-vpc-cni-network-policy.md

@@ -0,0 +1,7 @@
+---
+title: AWS VPC CNI Network Policy
+---
+
+{%
+   include-markdown "../../patterns/aws-vpc-cni-network-policy/README.md"
+%}

patterns/aws-vpc-cni-network-policy/README.md

@@ -0,0 +1,51 @@
+# Amazon EKS Cluster w/ Network Policies
+
+This pattern demonstrates an EKS cluster that uses the native Network Policy support provided by the Amazon VPC CNI (1.14.0 or higher).
+
+- [Documentation](https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html)
+- [Launch Blog](https://aws.amazon.com/blogs/containers/amazon-vpc-cni-now-supports-kubernetes-network-policies/)
+
+## Scenario
+
+This pattern deploys an Amazon EKS Cluster with Network Policies support implemented by the Amazon VPC CNI. Further it deploys a simple demo application (distributed as a Helm Chart) and some sample Network Policies to restrict the traffic between different components of the application.
+
+For a detailed description of the demo application and the Network Policies, please refer to the Stars demo of network policy section in the official [Documentation](https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html).
+
+## Deploy
+
+See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started/#prerequisites) for the prerequisites and steps to deploy this pattern.
+
+## Validate
+
+1. List out the pods running currently:
+
+    ```sh
+    kubectl get pods -A
+    ```
+
+    ```text
+   NAMESPACE         NAME                                       READY   STATUS    RESTARTS   AGE
+    [...]
+    client            client-xlffc                               1/1     Running   0          5m19s
+    [...]
+    management-ui     management-ui-qrb2g                        1/1     Running   0          5m24s
+    stars             backend-sz87q                              1/1     Running   0          5m23s
+    stars             frontend-cscnf                             1/1     Running   0          5m21s
+    [...]
+    ```
+
+    In your output, you should see pods in the namespaces shown in the following output. The NAMES of your pods and the number of pods in the READY column are different than those in the following output. Don't continue until you see pods with similar names and they all have Running in the STATUS column.
+
+2. Connect to the management user interface using the EXTERNAL IP of the running service and observe the traffic flow and restrictions based on the Network Policies deployed:
+
+    ```sh
+    kubectl get service/management-ui -n management-ui
+    ```
+
+    Open the browser based on the URL obtained from the previous step to see the connection map and restrictions put in place by the Network Policies deployed.
+
+## Destroy
+
+{%
+   include-markdown "../../docs/_partials/destroy.md"
+%}

patterns/aws-vpc-cni-network-policy/charts/demo-application/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

patterns/aws-vpc-cni-network-policy/charts/demo-application/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: demo-application
+description: A Helm chart to deploy the demo-application
+type: application
+version: 1.0.0

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/backend-deploy.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend 
+  namespace: stars
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      role: backend
+  template:
+    metadata:
+      labels:
+        role: backend 
+    spec:
+      containers:
+      - name: backend 
+        image: calico/star-probe:v0.1.0
+        imagePullPolicy: Always
+        command:
+        - probe
+        - --http-port=6379
+        - --urls=http://frontend.stars:80/status,http://backend.stars:6379/status,http://client.client:9000/status
+        ports:
+        - containerPort: 6379

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/backend-svc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend 
+  namespace: stars
+spec:
+  ports:
+  - port: 6379
+    targetPort: 6379 
+  selector:
+    role: backend

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-deploy.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: client 
+  namespace: client
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      role: client
+  template:
+    metadata:
+      labels:
+        role: client 
+    spec:
+      containers:
+      - name: client 
+        image: calico/star-probe:v0.1.0
+        imagePullPolicy: Always
+        command:
+        - probe
+        - --urls=http://frontend.stars:80/status,http://backend.stars:6379/status
+        ports:
+        - containerPort: 9000 

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-ns.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: client
+  labels:
+    role: client

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-svc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: client
+  namespace: client
+spec:
+  ports:
+  - port: 9000 
+    targetPort: 9000
+  selector:
+    role: client

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/frontend-deploy.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend 
+  namespace: stars
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      role: frontend
+  template:
+    metadata:
+      labels:
+        role: frontend 
+    spec:
+      containers:
+      - name: frontend 
+        image: calico/star-probe:v0.1.0
+        imagePullPolicy: Always
+        command:
+        - probe
+        - --http-port=80
+        - --urls=http://frontend.stars:80/status,http://backend.stars:6379/status,http://client.client:9000/status
+        ports:
+        - containerPort: 80

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/frontend-svc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend 
+  namespace: stars
+spec:
+  ports:
+  - port: 80 
+    targetPort: 80 
+  selector:
+    role: frontend

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-deploy.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: management-ui 
+  namespace: management-ui 
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      role: management-ui
+  template:
+    metadata:
+      labels:
+        role: management-ui 
+    spec:
+      containers:
+      - name: management-ui 
+        image: calico/star-collect:v0.1.0
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 9001

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-ns.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: management-ui 
+  labels:
+    role: management-ui

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-svc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: management-ui 
+  namespace: management-ui 
+spec:
+  type: LoadBalancer
+  ports:
+  - port: 80 
+    targetPort: 9001
+  selector:
+    role: management-ui

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/stars-ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: stars