GitHub - openshift/multus-networkpolicy: Kubernetes NetworkPolicy for secondary...
source link: https://github.com/openshift/multus-networkpolicy
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
multi-networkpolicy-iptables
multi-networkpolicy implementation with iptables
Current Status of the Repository
It is now actively developping hence not stable yet. Bug report and feature request are welcome.
Description
Kubernetes provides Network Policies for network security. Currently net-attach-def does not support Network Policies because net-attach-def is CRD, user defined resources, outside of Kubernetes. multi-network policy implements Network Policiy functionality for net-attach-def, by iptables and provies network security for net-attach-def networks.
Quickstart
Install MultiNetworkPolicy CRD into Kubernetes.
$ git clone https://github.com/k8snetworkplumbingwg/multi-networkpolicy
$ cd multi-networkpolicy
$ kubectl create -f scheme.yml
customresourcedefinition.apiextensions.k8s.io/multi-networkpolicies.k8s.cni.cncf.io created
Deploy multi-networkpolicie-iptables into Kubernetes.
$ git clone https://github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables
$ cd multi-networkpolicy-iptables
$ kubectl create -f deploy.yml
clusterrole.rbac.authorization.k8s.io/multi-networkpolicy created
clusterrolebinding.rbac.authorization.k8s.io/multi-networkpolicy created
serviceaccount/multi-networkpolicy created
daemonset.apps/multi-networkpolicy-ds-amd64 created
Requirements
This project leverages iptables
and ip6tables
commands to do its work. Hence, ip_tables
and ip6_tables
kernel modules
need to be loaded on the container host:
# modprobe ip_tables ip6_tables
Configurations
See Configurations.
(TBD)
MultiNetworkPolicy DaemonSet
MultiNetworkPolicy creates DaemonSet and it runs multi-networkpolicy-iptables
for each node. multi-networkpolicy-iptables
watches MultiNetworkPolicy object and creates iptables rules into 'pod's network namespace', not container host and the iptables rules filters packets to interface, based on MultiNetworkPolicy.
- Bugfixing
- IPv6 support
- (TBD)
Contact Us
For any questions about Multus CNI, feel free to ask a question in #general in the NPWG Slack, or open up a GitHub issue. Request an invite to NPWG slack here.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK