Network Policy in Kubernetes under the hood

4/27/2020

I have network policy created and implemented as per https://github.com/ahmetb/kubernetes-network-policy-recipes, and its working fidn , however I would like to understand how exactly this gets implemeneted in the back end , how does network policy allow or deny traffic , by modifying the iptables ? which kubernetes componenets are involved in implementing this ?

-- sai prashanth
cni
google-kubernetes-engine
kubernetes
kubernetes-networkpolicy
kubernetes-pod

2 Answers

4/27/2020

"It depends". It's up to whatever controller actually does the setup, which is usually (but not always) part of your CNI plugin.

The most common implementation is Calico's Felix daemon, which supports several backends, but iptables is a common one. Other plugins use eBPF network programs or other firewall subsystems to similar effect.

-- coderanger
Source: StackOverflow

4/27/2020

Network Policy is implemented by network plugins (calico for example) most commonly by setting up Linux Iptables Netfilter rules on the Kubernetes nodes.

From the docs here

In the Calico approach, IP packets to or from a workload are routed and firewalled by the Linux routing table and iptables infrastructure on the workload’s host. For a workload that is sending packets, Calico ensures that the host is always returned as the next hop MAC address regardless of whatever routing the workload itself might configure. For packets addressed to a workload, the last IP hop is that from the destination workload’s host to the workload itself

calico data path

-- Arghya Sadhu
Source: StackOverflow