Network Policies in AKS #435
Comments
|
How do you plan to apply network policies? An AKS cluster can be deployed in a single VNET/subnet only. Network policy support is planned with Calico. You can use kube-router today if you wish. |
|
Currently we are planning to use ACS-engine with Calico. When can we expect this feature in AKS?
- Santosh
… On Jun 16, 2018, at 8:01 PM, Saurya Das ***@***.***> wrote:
Calico
|
|
Any update to the timeframe for Calico support with AKS? It is our preferred network policy implementation |
|
targeting q3 cy 2018 |
|
@sauryadas Can you elaborate if this will support the Azure network plugin with advanced networking? |
|
@sauryadas I'm using kubenet - calico, but it seems that NetworkPolicies have no effect. Are they supposed to work already? |
|
Could we have a clear status on this feature please? Thanks |
|
@MCKLMT just to be precise, currently AKS does not support calico network policy with kubenet (even though the docs say so). If you do not add it, the cluster creation command (arms template) outputs calico as the policy. However, it does not seem to be true, since any network policies I've created do not have any effect. But I guess it's coming... |
|
@sauryadas Could you give us more details about the support of network policies on AKS please? |
|
@MCKLMT Need another 4-6 weeks for the network policy integration with Calico. Will post an update when it is ready |
|
And what about kube-router? |
|
I believe kube-router should work but we havent tested it extensively. |
|
Some guys reported that the network policies on kube-router are not working properly. |
@sauryadas - is this something that can be prioritized. This is one of the must haves we need to pass through from the infosec standpoint to secure pod to pod communication or namespace to namespace communication |
|
@sauryadas Any update ? |
|
End of Nov.. Apologies for the delay. |
|
@sauryadas We are at the end of the month. Any update ? |
|
@sauryadas network policies still planned for end of nov? or any new dates? |
|
@sauryadas -- we're now into December, any updates on the ETA for this? |
|
would be (more than) nice to see this in AKS before the end of the year. |
|
@sauryadas Can you give a feedback about the current state of implementation? We think to postpone implementing kube-router for isolation in favour of the officially supported feature. |
|
The feature is basically complete, but as we are entering a holiday release freeze, it may not roll out until early January. |
|
@seanmck thats not a good news :(. May we know whether this would be based on calico / kube-router? Regards |
|
Hallo @seanmck, @badalk Do you really think so? For me these are great news as it means that there's progress and open communication. @sauryadas has already given an answer to your question: it will be based on Calico and can be used with Advanced Networking. |
|
@yves-vogl I did not mean that its a bad news for the community. In my context it is, as we have a release planned before holidays and was expecting this to be available anytime soon. Have a great holiday all |
|
@badalk No worries. We certainly understand that it is frustrating when dates aren't hit. We will get this out as soon as we can. |
|
@seanmck any details on AKS update deployment strategy over the different regions? |
|
@seanmck Sorry for possibly a stupid question, but are you looking forward to making calicoctl tool available for end users of AKS? I guess yes, since the users have access to K8S API in K8S, but would like to double check nevertheless. |
|
Hi there @seanmck! Happy holidays! Any updates on when it will be available? So looking forward to have this available in AKS. Thanks |
I am facing the same issue, kube router deployed as daemonset does no seem to work very well with standard network policies. I am able to deny all traffic but If I allow traffic from other pods, it does not work |
|
@seanmck, I too would like to know the status of the Calico rollout for AKS. We're planning to work on some projects that require Network Policies, and I'm not sure if I should shuffle our schedule around to delay these. I notice that the roadmap page lists this feature as "In Development" as of January 28th, but from your note above, I assumed it would be released around this time. Does "In Development" mean we can enable it with a feature flag (so we can continue our own development that relies on this) or does it mean that it will be released shortly? |
|
For anyone watching, it looks like Calico is available today in 1.12.4, which you should see as an available version now in AKS. It is a preview feature and unsupported. This is mentioned in the new change log document: https://github.com/Azure/AKS/blob/master/CHANGELOG.md I previously asked if it would support Azure CNI implying existing clusters #435 (comment), it doesn't look like that support exists yet. New clusters only with the Calico CNI. |
|
And here is the official documentation |
|
How long will this be in preview? Looking at when it will be in a release state and ready for production use. Thanks! |
|
Already supported and preview flag removed, see the documentation at https://docs.microsoft.com/en-us/azure/aks/use-network-policies. |
thomas1206
added
AzChina
ghost
locked as resolved and limited conversation to collaborators
aritraghosh
moved this to Archive (GA older than 1 month)
in Azure Kubernetes Service Roadmap (Public)
and others
We have hardened network policy requirements for certain group of K8S pods. Can I install AKS on multiple VNETs and attach it to a namescape? OR Does AKS support advanced network policies?
Example - Stateful pods should not have an outbound connection, Some communication pods can make internet connections, some pods allow a peer to peer communication for replication across the region.
How do we support these requirements with AKS?
The text was updated successfully, but these errors were encountered: