Private network without IPSec overlay

We like all the concepts in rancher to deploy services in a total cloud centric way. However in a more traditional IT department the IPsec Overlay may causes some trouble here.

Is there a way to mange service/container with rancher based on a fixed network topology which the security team already has splitted in different zones (VLANS) which are all routable but have given security rules between them.

I would model this with different labels attached to hosts in a given department (VLAN) and only allow service to be deployed there. We also like to use the internal DNS discovery goodies ranher provides. But is there a way to avoid the additional IPSec tunnels and use the preexisting routed connectivity?

an intersting article about the network stuff in container networks is here at k8s:


With the arrival of k8s at rancher now it would be interesting to hear about the direction of
rancher in terms of networking CNI etc.

Ping @denise et al. Do you have any reply to this?

We’re in a similar situation, where we want to have agent nodes in the same environment, but where we don’t want rancher to setup the IPSec network, due to the nodes being in different silos. We can provide a custom IPSec network for rancher to use, that we manage for this setup, though. So the question is, could it work, and is there anything special we need to do in rancher to make this work.

We support the existing IPSec and vxlan. Integrating other CNI implementations is possible but we have no immediate plans to implement more that I’m aware of.

Thanks for the reply vincent.