0

I have been experimenting with k8s/kops/aws suite.

So far things have been going pretty well (except an issue when updating cluster via kops)

I want to be able to make use of my existing resources/cluster and deploy 2 flavors of my app (i.e. production and testing) in the same cluster.

I would like to be on the safe side and maximize as much as possible the isolation between the k8s resources of those two deployments.

Definately there going on different namespaces.

From some investigation I have found out that I need to also apply NetworkPolicy to prevent inter-namespace communication; however applying NetworkPolicy resources requires a supporting networking solution (currently using kubenet, the default of kops which doesn't).

What is the solution/plugin to go for?

Just want (at least for the time being) the level of isolation described above which I assume can be achieved via NetworkPolicy even if there is a common CIDR for all pods (just saying that to emphasise that there is a need for just the simplest possible networking solution that achieves that, nothing more fancy with multiple CIDRs etc).

Ideally I would like to be able just to use NetworkPolicy resource for some namespace-based (namespaceSelector) and pod-based (podSelector) ingress rules and that's it (?)

Community
  • 1
  • 1
pkaramol
  • 16,451
  • 43
  • 149
  • 324

1 Answers1

1

On my kops clusters I use weave networking (also I provision them as private topology, which excludes kubenet anyway). So my first suggestion would be to go with a different networking, weave and calico being first ones coming to my mind.

Other then that, you might want to look into service mesh solution like Istio which can leverage NetworkPolicies as well (some istio policy reading)

Radek 'Goblin' Pieczonka
  • 21,554
  • 7
  • 52
  • 48
  • I also assume you use bastion for ssh-ing into your cluster since you are on a private topology? – pkaramol Jan 11 '18 at 09:51
  • indeed bastion it is – Radek 'Goblin' Pieczonka Jan 11 '18 at 09:54
  • pls allow me an additional question: `weave` is used just to support the enforcement of `NetworkPolicy`? is it considered a bad practice if I spin up my cluster with `weave` **just** to be able to enforce `NetworkPolicy` ? (I am asking cause I assume any network solution is meant to to much more things than just enabling `NetworkPolicy`, right?) – pkaramol Jan 11 '18 at 10:19
  • 1
    all my cross-pod communication goes via weave, NetworkPolicy support is sort of a side effect for me. Private topology enforces use of a different networking solution then kubenet so I had to choose anyway. And in other setups I use weaves ability to established an encrypted peer channels over public network (no use for it in pure kops/aws, but I have some hybrid) – Radek 'Goblin' Pieczonka Jan 11 '18 at 10:29