Hi, I’ve deployed my first Rancher (2.0) and I really love it. This is bare metal deployment using Ubuntu servers as Rancher nodes. I’m using Canal as a network plugin.
Because I’m new to containers/kubernetes/rancher etc. I’m still figuring out what is the best way to create very tightened security policy in Rancher: only specific pods are able to talk with some other specific pod on specific ports.
I’ve found some documentation for Network Security Policy for Rancher 1.6 but I can’t find any useful material,for Rancher 2.0.
Is current only option to create and import configuration files directly in
Kubernetes?
What is the best way to create network policy for intra cluster and intra cluster communication?
I was working on this same thing today. My end goal is to have a service that is only accessible through my Kong gateway.
The good news is that networkpolicy configuration does work.
What I’ve come to find out though is there are default network policies that rancher create and ensure are applied (meaning even if you delete them, they come back) that ensure that within a project, all pods can communicate to each other.
To somewhat answer your question; right now the only way (to my knowledge) to limit pod to pod communication is to create a separate project for any workload that you do not want other pods to have default access to, and then to create a networkpolicy that allows the specific traffic you do want.
For example, here are the network policies for my foo namespace. I deleted both hn-nodes and np-default before I left the office today, and now they are back:
$ kubectl get networkpolicy --namespace foo
NAME POD-SELECTOR AGE
default-deny 1d
hn-nodes 5h
np-default 3h
The default-deny policy actually has the configuration to allow kong to talk to any pod in the foo namespace.
The np-default policy is the policy that allows all pods in a project to talk to all other pods:
It looks like in a future release, there will be an option to disable the default network policy management. This will allow you to create network policies that can limit communication between pods in the same project, and network policies will behave the same as a vanilla kubernetes cluster. https://github.com/rancher/rancher/issues/14462