NetworkPolicies

In NETWAYS Managed Kubernetes clusters with Cilium configured as the Container Networking Interface (CNI) you can secure traffic using NetworkPolicies.

In clusters with flannel configured as the CNI this is not possible, because flannel does not provide an implementation of NetworkPolicies.

Use Cases

If you want to protect access to applications in the cluster over the network and only allow the required traffic, NetworkPolicies are the tool of choice.

They act as a firewall and enable you to restrict access to specific applications, ports, and protocols.

A simple NetworkPolicy can look like this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-namespaces
spec:
  podSelector:
    matchLabels:
      app: myapp
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchExpressions:
              - key: namespace
                operator: In
                values: ["frontend", "backend"]

This NetworkPolicy allows all Pods labeled app=myapp to communicate with applications in the namespaces frontend and backend.

CiliumNetworkPolicies

In addition to the Kubernetes NetworkPolicies implementation, Cilium provides its own CustomResource (CR) that adds extra functionality: CiliumNetworkPolicies.

Additional capabilities include, among others:

• Inspection of traffic at L7
• Inspection of DNS traffic
• Network rules at the node level

For more information, see the official Cilium documentation.
Our MyEngineers^® can also help you.

Further Information

• General information about NETWAYS Managed Kubernetes
• Available CNIs in NETWAYS Managed Kubernetes
• Official Cilium Documentation
• GitHub repository of flannel