Network Plugins In K8 With Calico

As we know through out the same cluster pods have the same IP. Even though when the pods are in different name spaces pods can talk to each other using their IPs.

so that let us to think what if we wants to keep bit high on us .Not every one can to talk to ,particular one ,but the people who have fulfilled the condition.

We can write a network policy for particular pod in a particular namespace by labeling itself ,if some one trying to reach me ,I allowed only the pods from ‘X’ namespace.

But when we are trying to confirm our network policy by getting pin from a pod ‘Y’ namespace still they can call us.So that basically didn’t work yet.

yes ,yet.We need to put a network policy agent for our cluster. Waveworks ,Calico and ANTERA are the popular one.Well in this article gonna discuss about the Calico.

before that it’s better to refresh about how those pods find the each other with the help of root network name space in Kuberntes.

Assume a packet is going from pod1 to pod4.

1. It leaves pod1’s netns at eth0 and enters the root netns at vethxxx.
2. It’s passed on to cbr0, which makes the ARP request to find the destination.
3. It comes out of cbr0 to the main network interface eth0 since nobody on this node has the IP address for pod4.
4. It leaves the machine node1 onto the wire with src=pod1 and dst=pod4.
5. The route table has routes setup for each of the node CIDR blocks, and it routes the packet to the node whose CIDR block contains the pod4 IP.
6. So the packet arrives at node2 at the main network interface eth0.
   Now even though pod4 isn’t the IP of eth0, the packet is still forwarded to cbr0 since the nodes are configured with IP forwarding enabled.
   The node’s routing table is looked up for any routes matching the pod4 IP. It finds cbr0 as the destination for this node’s CIDR block.
   You may list the node route table using route -n command, which will show a route for cbr0 like this: