1

I'm trying to isolate services from one another.

Suppose ops-human has a bunch of mysql stores running on Google Container Engine, and dev-human has a bunch of node apps running on the same cluster. I do NOT want dev-human to be able to access any of ops-human's mysql instances in any way.

Simplest solution: put both of these in separate subnets. How do I do such a thing? I'm open to other implementations as well.

Peter Klipfel
  • 4,958
  • 5
  • 29
  • 44
  • If you put them in different [namespaces](http://kubernetes.io/docs/admin/namespaces/), is the problem solved? – caesarxuchao Jun 23 '16 at 06:24
  • @caesarxuchao Namespaces protects against user errors (or just handy configuration) like naming every database just "db". Then the local "db" in that namespace will be found. However if you use a FQDN and you have a flat network like Kubernetes uses, you could access a different resource outside of your namespace. Best is never to have dev and ops running on the same cluster: What if dev produces some new code which pushes out the resources ops requires? – Norbert Jun 23 '16 at 06:46

2 Answers2

1

The Kubernetes Network-SIG team has been working on the network isolation issue for a while, and there is an experimental API in kubernetes 1.2 to support this. The basic idea is to provide network policy on a per-namespace basis. A third party network controller can then react to changes to resources and enforces the policy. See the last blog post about this topic for the details.

EDIT: This answer is more about the open-source kubernetes, not for GKE specifically.

Yu-Ju Hong
  • 6,511
  • 1
  • 19
  • 24
0

The NetworkPolicy resource is now available in GKE in alpha clusters (see latest blog post).

Perspectivus
  • 972
  • 1
  • 9
  • 22