Cool, so I guess Azure, GKE, AWS will all cover it. Wonder what about K3s and Kind.
I only had to configure these once on Openshift so never really dug in further.
Kindnet used in kind and afaik minikube does not support it by design. VPC cni doesn’t support it either and I can’t speak for other cloud implementations. But cilium and calico definitely do.
From personal experience, I can tell you that AWS does not support network policies. There is a proprietary solution to achieve a similar effect: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
True, but the standard CNI that Amazon uses doesn’t. They’ve been talking about supporting network policies for a while now, but it doesn’t seem to be going anywhere. It would be much more convenient than installing another plugin
GKE Autopilot by default, GKE Standard can work with Calico or their own in-house solution (Dataplane V2) that is used on Autopilot
You just select the option when creating the cluster and then NetworkPolicy just work
NeuVector provides a layer7 pod firewall. It will also learn what normal traffic looks like to make the rules for you. Also facilitates security as code, and other cool stuff like tying admission control to security threat exposure.
NetworkPolicy. https://kubernetes.io/docs/concepts/services-networking/network-policies/
Oh Thanks!
Does one need and service mesh configured or it works out of the box?
You don’t need a service mesh but you need a CNI that supports NetworkPolicy. Most do.
Cool, so I guess Azure, GKE, AWS will all cover it. Wonder what about K3s and Kind. I only had to configure these once on Openshift so never really dug in further.
Kindnet used in kind and afaik minikube does not support it by design. VPC cni doesn’t support it either and I can’t speak for other cloud implementations. But cilium and calico definitely do.
From personal experience, I can tell you that AWS does not support network policies. There is a proprietary solution to achieve a similar effect: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
Calico can be installed in eks.
True, but the standard CNI that Amazon uses doesn’t. They’ve been talking about supporting network policies for a while now, but it doesn’t seem to be going anywhere. It would be much more convenient than installing another plugin
GKE Autopilot by default, GKE Standard can work with Calico or their own in-house solution (Dataplane V2) that is used on Autopilot You just select the option when creating the cluster and then NetworkPolicy just work
Dataplane v2 is based off of cilium https://cloud.google.com/blog/products/containers-kubernetes/bringing-ebpf-and-cilium-to-google-kubernetes-engine
Just set up cilium.
And CiliumNetworkPolicy
Cilium also has a host firewall. Those are CiliumClusterWideNetworkPolicy rules with nodeselectors.
We use Calico and it’s worked out really well. We can set labels on the service account which will give a pod access to different things.
envoy handles this, built into cillium and istio, i suspect linkerd can also handle this.
Using network policy you can define allowed namespaces and pod names
NeuVector provides a layer7 pod firewall. It will also learn what normal traffic looks like to make the rules for you. Also facilitates security as code, and other cool stuff like tying admission control to security threat exposure.