kubernetes：应用程序的集群内隔离

Question

I have been experimenting with k8s / kops / aws suite.

So far things have been going pretty well (except an issue when updating cluster via kops )

I want to be able to make use of my existing resources/cluster and deploy 2 flavors of my app (ie production and testing ) in the same cluster.

I would like to be on the safe side and maximize as much as possible the isolation between the k8s resources of those two deployments.

Definately there going on different namespaces.

From some investigation I have found out that I need to also apply NetworkPolicy to prevent inter- namespace communication; however applying NetworkPolicy resources requires a supporting networking solution (currently using kubenet , the default of kops which doesn't ).

What is the solution/plugin to go for?

Just want (at least for the time being) the level of isolation described above which I assume can be achieved via NetworkPolicy even if there is a common CIDR for all pods (just saying that to emphasise that there is a need for just the simplest possible networking solution that achieves that, nothing more fancy with multiple CIDRs etc).

Ideally I would like to be able just to use NetworkPolicy resource for some namespace -based ( namespaceSelector ) and pod -based ( podSelector ) ingress rules and that's it (?)

Answer 1

On my kops clusters I use weave networking (also I provision them as private topology, which excludes kubenet anyway). So my first suggestion would be to go with a different networking, weave and calico being first ones coming to my mind.

Other then that, you might want to look into service mesh solution like Istio which can leverage NetworkPolicies as well (some istio policy reading )