0

I am setting up hybrid cluster(master-centos and 2 worker nodes-windows 2019) with containerd as runtime. I cannot use any CNI like calico and weave as they need docker as runtime.I can use Flannel but it does not support network policies well. Is there a way to prevent inter-namespace communication of pods in Kubernetes WITHOUT using network policy?

uttara bhosale
  • 97
  • 2
  • 2
  • 11

2 Answers2

2

Is there a way to prevent inter-namespace communication of pods in Kubernetes WITHOUT using network policy?

Network policies was create for that exact purpose and as per documents you need CNI that supports them. In other way they will be ignored.

Network policies are implemented by the network plugin. To use network policies, you must be using a networking solution which supports NetworkPolicy. Creating a NetworkPolicy resource without a controller that implements it will have no effect.

If your only option is to use flannel for networking, you can install Calico network policy to secure cluster communications. So basically you are installing calico for policy and flannel for networking commonly known as Canal. You can find more details in calico docs

Here's also a good answer how to setup calico with containerd that you might find useful for your case.

acid_fuji
  • 6,287
  • 7
  • 22
1

As Flannel is L2 networking solution only thus no support for NetworkPolicy (L3/L4) you can implement security on the service level (any form of authorization like user/pass, certificate, saml, oauth etc.).

But without NetworkPolicy one will loose firewall like security which may not be what you want.

bazeusz
  • 564
  • 4
  • 11
  • hi @bazeusz can you please elaborate more on these options please? suppose i want the pods of abc namespace to talk to sql pod of the same namspace. I certainly dont want the pods of xyz namepsace to talk to sql pod of abc namespace. – uttara bhosale Apr 12 '21 at 11:02
  • @uttarabhosale after one more thought routing rules are no option as address allocation is dynamic, would result in writing a plugin itself but the second one is still valid, doable by using any form of authentication in services (user/pass, certificates etc.) but without network policies you are loosing lower level of security which is not good. I will edit my answer to make it clearer. The reply of Thomas is definitely the way to go – bazeusz Apr 14 '21 at 13:14