Kubernetes cluster network policies

Kubernetes network policies help configure network interchanges between groups of pods and network nodes. You can create network policies using the Kubernetes Network Policy API that sets rules for filtering traffic at the pod level. These rules determine which pods and services in a Kubernetes cluster can access each other.

To manage network policies, Managed Service for Kubernetes uses the Calico and Cilium controllers.

The Calico network controller uses the iptables rules while Cilium utilizes eBPF technology.

Calico

Calico enables you to configure basic security policies for Kubernetes clusters.

Step-by-step configuration instructions are provided at Configuring the Calico network policy controller.

Cilium

Unlike Calico, the Cilium controller has broader capabilities and enables you to:

• Use the same subnet ranges for pods and services in different clusters.
• Create more functional network policies, for example, by filtering pod-to-pod traffic at the L7 application layer or using the DNS name of an external resource.
• Use the built-in Hubble tool to monitor network events.

In a Managed Service for Kubernetes cluster, Cilium operates in tunneling mode. This mode implements network connectivity for cluster objects based on VxLAN technology using Cilium CNI.

Cilium tunneling mode helps:

• Create clusters with overlapping IP addresses on the same network.
• Use an extended address range of up to /8 for pod and cluster services.
• Create twice as many cluster nodes (as compared to Calico).

Cluster requirements to enable network policies

Prerequisites for enabling network policies in a Kubernetes cluster:

• Sufficient node group resources.

  Using network policies requires additional memory and vCPU resources.

• The Cilium controller requires Kubernetes version 1.19 or better released through the RAPID channel.

We recommend that you only enable your network policy controller in a cluster of at least two nodes.