Kubernetes Network Policies Explained
Vložit
- čas přidán 2. 06. 2024
- What are Kubernetes Network Policies and how to use them? In this video, I'll show you how to use Kubernetes Network Policies to restrict access between Pods. I'll also show you the pros and cons of k8s Network Policies.
#kubernetes #k8s #kubernetesnetworking
Consider joining the channel: / devopstoolkit
▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬
➡ Gist with the commands: gist.github.com/vfarcic/f6762...
🔗 Kubernetes Network Policies: kubernetes.io/docs/concepts/s...
▬▬▬▬▬▬ 💰 Sponsoships 💰 ▬▬▬▬▬▬
If you are interested in sponsoring this channel, please use calendly.com/vfarcic/meet to book a timeslot that suits you, and we'll go over the details. Or feel free to contact me over Twitter or LinkedIn (see below).
▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬
➡ Twitter: / vfarcic
➡ LinkedIn: / viktorfarcic
▬▬▬▬▬▬ 🚀 Other Channels 🚀 ▬▬▬▬▬▬
🎤 Podcast: www.devopsparadox.com/
💬 Live streams: / devopsparadox
▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬
00:00 Introduction To Kubernetes Network Policies
04:07 What Are Kubernetes Network Policies?
06:12 Applications Without Network Policies
08:13 Kubernetes Network Policies In Action
15:20 Pros And Cons Of Kubernetes Network Policies - Věda a technologie
Are you applying Kubernetes Network Policies?
Yes sir
Great explanation, great communicating skills. This video is just great, it shows how things should be explained, first presents the problem in a clear and relatable manner and then presents the solution in clear technical terms. Subscribed.
Thank you, thank you, thank you!!! This video is GOLD! The main treasure discovered at 8:32
This is great, but if you segment applications and DBs at infrastructure level layer 3, you can use NACLs and NSGs to ensure that the DB only ever accepts connections from a specific IP segment and port number. Products like Cillium are great provided you have an underlay of L3/L4 segments ( that we can call 'macro-segementation') governed by firewalls applying ingress and egress policies. These policies should not be accessible by developers. As long as microServices are architected to perform web, middleware, business logic and DB roles, you can segement. Cillium can be used as a microsegnentation over a macro-segmented environment. Developers can then be given freedom to microsegment using Ciliium. This approach provides governance, delivers separation of duties and provides a level assurance over misconfiguration errors.
great tip you gave that the namespaceSelector to be set to kube-system for ingress controller!
This video is amazing! I love the examples
Loved it! GREAT JOB!!
My god the much awaited video is here....❤
I'm okay with "Connection Refused! Why? You figure it out!" alongside extremely clear boundaries where we everyone can be absolutely certain there is no reason to hop across, accompanied by other means of identifying what's going on if for some reason someone didn't get the memo. Otherwise, I want it to be easy to diagnose the problem and solve it the right way. This can be solved with great docs or visualization tools, or clear error messages closer to the application layer. Hasty, over-permissive solutions often emerge from frustrated devs. That's what scares me a little about Network Policies, but I do think they have their use-cases.
One really good use-case for this, I think, is multi-tenancy.
Google is working on separate branch where they provide NP with hostname restriction capabilities, layer 7 🎉
Thanks for the great explanation!! What would be a better offering in terms of applying network policies - Managed Network policy (e g Calico Enterprise) or an open source version implementation?
I rarely used enterprise version of an open source networking solution so I'm not sure what the differences are.
thanks for your amazing videos, you're really great!
What are you using for creating your diagrams, they're so nice!
I have an agency that does editing, animations, audio, etc.
Thanks ❤
Hi Viktor i would love see video about Paralus or diffrent centralized platform to manage multiple clusters with zero trust concept.
Adding it to my to-do list....
Thanks for the great video!
I thought, altho haven't played with it myself yet, that OPA Gatekeeper could also be used to limit who can access what. Is there a reason to avoid managing network policies with OPA?
OPA is first and foremost about policies that verify whether resources are defined correctly rather than enforcing networking rules. You could do it though, but that would not be a good idea and would be very limiting.
@@DevOpsToolkit Sounds good. Thank you!
Excellent video. Stupid question may be - Can you somehow select podselector to use IP addresses instead of labels ? Sorry I came from cisco NACL background :D
If it's for internal communication (within a cluster), IPs would not help much since they are changing allí the time since pods are being created and destroyed all the time.
@@DevOpsToolkit Make sense. Thanks !
I am seeing traffic is blocked from external even after adding kube-system in ingress but when I add ipblock 0.0.0.0/0 it allows but it is opened for external and internal, how can i resolve it?
It's hard for me to answer such a question without take a look at it first.
Am I the only one who cannot get the ingress rule to work with Cilium? Also Viktor, you missed the namespaces definition in the gist/repo. My guess is the namespaces have the label environment=production and environment=staging.
Oh my. I did forget to push namespaces.yaml. Can you make a PR if you have them at hand?
I haven't had problems making ingress work with cilium. It might be something else that's failing. We can do screen sharing session and take a look at it together. However, I'll be traveling for the most of June so it would have to be aonth from now 😔
@@DevOpsToolkit Thanks for your reply!
I just made the PR.
As for the screensharing offer, I can wait. In fact it gives me time to try to debug the problem myself. But I must warn you. My spoken English is very weak :-)
@nbensa no worries about your English. I don't speak it natively either.
Send me a direct message on LinkedIn or Twitter and I'll get back to you with a calendar link. You can choose any time available there.
can a pod access other pods without using services?
Assuming that there are no additional protections, yes. A pod can access anything as long as it knows how to find it. It would need to know the IPs of those Pods or to go out and come back in through a DNS and a load balancer. There would have to be a very good reasons NOT to use Services.
is there any SRE training from Zero to Hero ?
It's a long road that starts with Linux and a programming language of choose, continues towards Cloud and Kubernetes, and never ends.
--image alpine/curl ;)
True. Sometimes I make silly mistakes often caused by lazyness.
@@DevOpsToolkit oh to me this is not even a mistake, sorry if it sounded like that. I'm studying for the CKA so I'm a bit crazy about saving time, it was automatic hehe ;P
BTW, thank you for the great content you make!
...last? 😅
First ...😄
Is there a way to apply such policies as egress to my wife ? 🙄