Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Managed Service for Kubernetes
  • Comparison with other Yandex Cloud services
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Connecting to a node over SSH
    • Updating Kubernetes
    • Configuring autoscaling
    • Connecting to a cluster
      • Connection method overview
      • Configuring security groups
      • Creating a static configuration file
    • Installing applications from Cloud Marketplace
      • Basics of working with Cloud Marketplace
      • Installing Argo CD
      • Installing Container Storage Interface for S3
      • Installing Crossplane
      • Installing External Secrets Operator
      • Installing Filebeat
      • Installing Fluent Bit
      • Installing Gateway API
      • Installing GitLab Agent
      • Installing GitLab Runner
      • Installing HashiCorp Vault
      • Installing the Application Load Balancer Ingress controller
      • Installing Jaeger
      • Installing Kyverno & Kyverno Policies
      • Installing Metrics Provider
      • Installing NodeLocal DNS
      • Installing Policy Reporter
      • Installing Thumbor
    • Network scenarios
      • Granting access to an app running in a Kubernetes cluster
      • Configuring the Calico network policy controller
      • Configuring the Cilium network policy controller
      • Configuring NodeLocal DNS for the Cilium network policy controller
    • Working with persistent volumes
      • Dynamic volume provisioning
      • Static volume provisioning
      • Managing storage classes
      • Expanding a pod volume
      • Expanding a StatefulSet controller volume
      • Mounting a volume in Block mode
      • Integration with Object Storage
    • Managing a Kubernetes cluster
      • Getting information about a Kubernetes cluster
      • Creating a Kubernetes cluster
      • Editing a Kubernetes cluster
      • Creating a namespace in a Kubernetes cluster
      • Deleting a Kubernetes cluster
    • Managing a node group
      • Information about existing node groups
      • Creating a node group
      • Connecting to a node over SSH
      • Configuring autoscaling
      • Changing a node group
      • Managing Kubernetes cluster node labels
      • Deleting a node group
    • Connecting external nodes to the cluster
  • Practical guidelines
    • All tutorials
    • Creating a new Kubernetes project in Yandex Cloud
    • Integration with Container Registry
    • Running workloads with GPUs
    • Installing an NGINX Ingress controller with Let's Encrypt®
    • Installing an NGINX Ingress controller with a certificate from Certificate Manager
    • Backups to Object Storage
    • Horizontal application scaling in a cluster
    • Vertical application scaling in a cluster
    • Deploying and load testing a gRPC service with scaling
    • Working with snapshots
    • Integrating into a corporate DNS zone
    • Automatic DNS scaling by cluster size
    • Setting up local DNS caching
    • Checking DNS Challenge for Let's Encrypt® certificates
    • Monitoring a cluster using Prometheus and Grafana
    • Continuous deployment of containerized applications using GitLab
    • Using Cloud Marketplace products
      • Integrating with Argo CD
      • Integration with Crossplane
      • Syncing with Yandex Lockbox secrets
      • Configuring Fluent Bit for Cloud Logging
      • Setting up Gateway API
      • Configuring the Application Load Balancer Ingress controller
      • Using Jaeger to trace requests in Managed Service for YDB
      • Using Metrics Provider to stream metrics
  • Concepts
    • Relationships between service resources
    • Release channels and updates
    • Encrypting secrets
    • Using Kubernetes API objects
      • Volumes
      • Service
    • Node groups
      • Cluster autoscaler
      • Evicting pods from nodes
      • Dynamic resource allocation for a node
      • Node groups with GPUs
    • Network in Managed Service for Kubernetes
    • External cluster nodes
    • Network settings and cluster policies
    • Automatic scaling
    • Quotas and limits
    • Recommendations for using Managed Service for Kubernetes
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ClusterService
      • NodeGroupService
      • VersionService
      • OperationService
    • REST
      • Overview
      • Cluster
        • Overview
        • create
        • delete
        • get
        • list
        • listNodeGroups
        • listNodes
        • listOperations
        • start
        • stop
        • update
      • NodeGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listNodes
        • listOperations
        • update
      • Version
        • Overview
        • list
  • Questions and answers
    • General questions
    • Data storage
    • Configuring and updating
    • Automatic scaling
    • Resources
    • Logs
    • All questions on one page
  1. Concepts
  2. Network settings and cluster policies

Kubernetes cluster network policies

Written by
Yandex Cloud
  • Integration with load balancers
  • Calico
  • Cilium
  • Cluster requirements to enable network policies

Kubernetes network policies help configure network interchanges between groups of pods and network nodes. You can create network policies using the Kubernetes Network Policy API that sets rules for filtering traffic at the pod level. These rules determine which pods and services in a Kubernetes cluster can access each other.

To manage network policies, Managed Service for Kubernetes uses the Calico and Cilium controllers.

The Calico network controller uses the iptables rules while Cilium utilizes the eBPF technology.

Warning

You can enable network policies only when creating a cluster.

Integration with load balancers

Warning

Due to the Yandex Cloud architecture, you can't use loadBalancerSourceRanges in Managed Service for Kubernetes when setting up network policy controllers. To allow traffic via the Yandex Network Load Balancer or Yandex Application Load Balancer use NetworkPolicy.

For step-by-step instructions on how to set up access to an application using NetworkPolicy, see Granting access to an app running in a Kubernetes cluster.

Calico

Calico enables you to configure basic security policies for Kubernetes clusters.

Step-by-step configuration instructions are provided at Configuring the Calico network policy controller.

Cilium

Unlike Calico, the Cilium controller has broader capabilities and enables you to:

  • Use the same subnet ranges for pods and services in different clusters.
  • Create more functional network policies, for example, by filtering pod-to-pod traffic at the L7 application layer or using the DNS name of an external resource.
  • Use the built-in Hubble tool to monitor network events.

In a Managed Service for Kubernetes cluster, Cilium operates in tunneling mode. This mode implements network connectivity for cluster objects based on VxLAN technology using Cilium CNI.

Cilium tunneling mode helps:

  • Create clusters with overlapping IP addresses on the same network.
  • Use an extended address range of up to /8 for pod and cluster services.
  • Create twice as many cluster nodes (as compared to Calico).

To be able to use tunnel mode, a service account requires the k8s.tunnelClusters.agent role.

Note

Tunneling mode is at the Preview stage.

Cluster requirements to enable network policies

To enable network policies in a Kubernetes cluster, sufficient resources in node groups are required. Using network policies requires additional memory and vCPU resources.

We recommend that you only enable your network policy controller in a cluster of at least two nodes.

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
In this article:
  • Integration with load balancers
  • Calico
  • Cilium
  • Cluster requirements to enable network policies