skip to Main Content

I am setting up hybrid cluster(master-centos and 2 worker nodes-windows 2019) with containerd as runtime. I cannot use any CNI like calico and weave as they need docker as runtime.I can use Flannel but it does not support network policies well. Is there a way to prevent inter-namespace communication of pods in Kubernetes WITHOUT using network policy?

2

Answers


  1. Is there a way to prevent inter-namespace communication of pods in Kubernetes WITHOUT using network policy?

    Network policies was create for that exact purpose and as per documents you need CNI that supports them. In other way they will be ignored.

    Network policies are implemented by the network plugin.
    To use network policies, you must be using a networking solution which
    supports NetworkPolicy. Creating a NetworkPolicy resource without a
    controller that implements it will have no effect.

    If your only option is to use flannel for networking, you can install Calico network policy to secure cluster communications. So basically you are installing calico for policy and flannel for networking commonly known as Canal. You can find more details in calico docs

    Here’s also a good answer how to setup calico with containerd that you might find useful for your case.

    Login or Signup to reply.
  2. As Flannel is L2 networking solution only thus no support for NetworkPolicy (L3/L4) you can implement security on the service level (any form of authorization like user/pass, certificate, saml, oauth etc.).

    But without NetworkPolicy one will loose firewall like security which may not be what you want.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search