Kubernetes Network Policy — Cilium

eBPF-based Networking, Observability, Security

Network policies are Kubernetes resources that control the traffic between pods and/or network endpoints. They uses labels to select pods and specify the traffic that is directed toward those pods using rules. Most CNI plugins support the implementation of network policies, however, if they don’t and we create a NetworkPolicy, then that resource will be ignored.

Now let’s examine network policies in greater detail. In Kubernetes, pods are capable of communicating with each other and will accept traffic from any source, by default. With NetworkPolicy we can add traffic restrictions to any number of selected pods, while other pods in the namespace (those that go unselected) will continue to accept traffic from anywhere. The NetworkPolicy resource has mandatory fields such as apiVersion, kind, metadata and spec. Its spec field contains all those settings which define network restrictions within a given namespace:

• podSelector selects a group of pods for which the policy applies
• policyTypes defines the type of traffic to be restricted (inbound, outbound, both)
• ingress includes inbound traffic whitelist rules
• egress includes outbound traffic whitelist rules

Why does we propose Network Policy?

Background

We just moved to kubernetes (k8s) env for prod env. We got all the benefits of k8s containerization such consistent deployment, immutable and easy to scale infra. But on the other hand, we slightly lost in terms of network control.
we can not perform granular access control (limit inbound / egress connectivity) to the specific pods. Opening firewall/security group to the node level will obviously grant all the container access on top of it as well.

So, we propose Network policy to control inter-service communication (pod to pod) or from another private resources.

Prospective Solution

The most popular CNI plugins with network policy support are:

• https://github.com/cilium/cilium
• https://github.com/cloudnativelabs/kube-router
• https://github.com/projectcalico/calico
• https://github.com/antrea-io/antrea
• https://github.com/flannel-io/flannel

Cilium

Based on official documentation, Cilium is an open source project to provide networking, security, and observability for cloud native environments such as Kubernetes clusters and other container orchestration platforms.

At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the dynamic insertion of powerful security, visibility, and networking control logic into the Linux kernel. eBPF is used to provide high-performance networking, multi-cluster and multi-cloud capabilities, advanced load balancing, transparent encryption, extensive network security capabilities, transparent observability, and much more.

In a nutshell Cilium is an “add-on” for Kubernetes that mainly implements the NetworkPolicy (NP) resource (fresh K8s installation doesn’t come with network policy implementation) to provide the concept of firewalls or security groups inside the cluster. But Cilium also extends NP with CiliumNetworkPolicy to provide L7 rules (DNS based, HTTP, etc.)

Cilium is a CNI-compliant networking plugin whose purpose is to provide multi-host network connectivity for Linux containers and a way to define granular network-layer and application-layer security policies. we can read full documentation of cilium at here.

Cilium has a built in observability platform called Hubble that can be access both from CLI and GUI. It enable deep visibility into the communication and behavior of services, e.g. topological map that inform us which pod can hit another pod.