multi-networkpolicy implementation with iptables
It is now actively developping hence not stable yet. Bug report and feature request are welcome.
Kubernetes provides Network Policies for network security. Currently net-attach-def does not support Network Policies because net-attach-def is CRD, user defined resources, outside of Kubernetes. multi-network policy implements Network Policiy functionality for net-attach-def, by iptables and provies network security for net-attach-def networks.
Install MultiNetworkPolicy CRD into Kubernetes.
$ git clone https://github.com/k8snetworkplumbingwg/multi-networkpolicy
$ cd multi-networkpolicy
$ kubectl create -f scheme.yml
customresourcedefinition.apiextensions.k8s.io/multi-networkpolicies.k8s.cni.cncf.io created
Deploy multi-networkpolicie-iptables into Kubernetes.
$ git clone https://github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables
$ cd multi-networkpolicy-iptables
$ kubectl create -f deploy.yml
clusterrole.rbac.authorization.k8s.io/multi-networkpolicy created
clusterrolebinding.rbac.authorization.k8s.io/multi-networkpolicy created
serviceaccount/multi-networkpolicy created
daemonset.apps/multi-networkpolicy-ds-amd64 created
This project leverages iptables
and ip6tables
commands to do its work. Hence, ip_tables
and ip6_tables
kernel modules
need to be loaded on the container host:
# modprobe ip_tables ip6_tables
See Configurations.
(TBD)
MultiNetworkPolicy creates DaemonSet and it runs multi-networkpolicy-iptables
for each node. multi-networkpolicy-iptables
watches MultiNetworkPolicy object and creates iptables rules into 'pod's network namespace', not container host and the iptables rules filters packets to interface, based on MultiNetworkPolicy.
- Bugfixing
- IPv6 support
- (TBD)
For any questions about Multus CNI, feel free to ask a question in #general in the NPWG Slack, or open up a GitHub issue. Request an invite to NPWG slack here.