Kubernetes network separation

Hello,

I am in the process of setting up a kubernetes cluster using rancher.

Let’s say that I have a few large physical machines and the intention is that they will run all containers (dev, test, prod).

It won’t matter which host the containers / Pods land on and the separation (no pod communication between each other) will be done using environments / contexts.

Let’s say that the DEVpod and the ProdPod are on the same host and they both have their own internal IP addresses.

Now the PROD pod is communicating with a database outside of the cluster … I don’t want the other DEVpods to be able to communicate with that database. I somehow want the network separated for each of the PODS so that particular POD (vxlan tag maybe?) is the only one that can communicate out to that particular database.

Do you have suggestions or ideas for similar setups or any ideas on how to achieve network separation?

I know that kubernetes supports for example openVswitch or something similar to use however I can’t find a way to use something similar while using rancher/kubernetes.

Rancher uses CNI network plugin for Kubernetes and currently there is no support of multiple networks in the k8s/CNI specification. This is not exactly a limitation of Rancher, it’s just the current state of things and networking options are still evolving. For your use case, probably the simple solution would be to use different Rancher environments, one for production, the others for your dev and so on. Since you prefer to use the same environment for all environments, the other option I could think of is using iptables/ipsets to allow access to the database container from your allowed IP addresses and default deny for others.

Hi!

I have created a draw.io image trying to explain what we want to achieve.

We want to have the possibility to see if a traffic to an outside service come from a pod in Namespace1 or namespace 2 (the src ip adress). Both for auditing and the possibility to create specific firewall rules.

One idea we have:
Is it possible to set different IP allocation ranges for pods running in different namespaces? In that case we could have “true” internal IP adresses for all pods and let the Rancher host route them without NAT or set specific NAT rules.

Or is it possible to add Flannel/Openvswitch or similar to a Rancher/kubernetes cluster who can see into the kubernetes environment and do some NAT rules depending on the namespace the pod is running in.

Or does it exists some way in kubernetes service specification to set the source ip for the outgoing traffic?

Sincererly
Mikael

Thanks! @leodotcloud. Do you have any insight into whether or not we can set ranges of IP’s we want our Pods to have so that we can separate them that way as per the comments made by @Sennerholm above.