Kubernetes Node firewalling from the Inside Out
Posted on March 21, 2024 • 1 minutes • 165 words
Description
The Kubernetes API manages network policies for application traffic in a declarative way. Some network interfaces—like Cilium—take this further by introducing additional policy resources that are more expressive than the default resources. Kubernetes intentionally leaves host networking policy out of the equation. As a result, admins typically fall back to familiar tools and write fragile bash scripts for Iptables and Firewalld when defining host network firewall policy, but that’s not the only option. The host network in your Kubernetes node is just another network namespace, albeit a somewhat special one, and it is possible to use declarative resources to secure node host networks, but not with the default Kubernetes API resources. This talk will cover a couple of contemporary implementations that provide in-cluster host network firewalling. Both Talos, as a Kubernetes distribution, and Cilium, as an advanced CNI, offer host firewalling declared as resources inside the cluster. We will compare and contrast these implementations and discuss the pros and cons of each.