Network Policy in Kubernetes under the hood
Question
I have network policy created and implemented as per https://github.com/ahmetb/kubernetes-network-policy-recipes , and its working fidn, however I would like to understand how exactly this gets implemeneted in the back end, how does network policy allow or deny traffic, by modifying the iptables? which kubernetes componenets are involved in implementing this?
2 answers
solution1
1 2020-04-27 05:48:45
Network Policy is implemented by network plugins (calico for example) most commonly by setting up Linux Iptables Netfilter rules on the Kubernetes nodes.
From the docshere
In the Calico approach, IP packets to or from a workload are routed and firewalled by the Linux routing table and iptables infrastructure on the workload's host. For a workload that is sending packets, Calico ensures that the host is always returned as the next hop MAC address regardless of whatever routing the workload itself might configure. For packets addressed to a workload, the last IP hop is that from the destination workload's host to the workload itself
solution2
1 2020-04-27 05:56:49
"It depends". It's up to whatever controller actually does the setup, which is usually (but not always) part of your CNI plugin.
The most common implementation is Calico's Felix daemon , which supports several backends, but iptables is a common one. Other plugins use eBPF network programs or other firewall subsystems to similar effect.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.