As we know through out the same cluster pods have the same IP. Even though when the pods are in different name spaces pods can talk to each other using their IPs.
so that let us to think what if we wants to keep bit high on us .Not every one can to talk to ,particular one ,but the people who have fulfilled the condition.
We can write a network policy for particular pod in a particular namespace by labeling itself ,if some one trying to reach me ,I allowed only the pods from ‘X’ namespace.
But when we are trying to confirm our network policy by getting pin from a pod ‘Y’ namespace still they can call us.So that basically didn’t work yet.
yes ,yet.We need to put a network policy agent for our cluster. Waveworks ,Calico and ANTERA are the popular one.Well in this article gonna discuss about the Calico.
before that it’s better to refresh about how those pods find the each other with the help of root network name space in Kuberntes.
Assume a packet is going from pod1 to pod4.
- It leaves
pod1’s netns at
eth0and enters the root netns at
- It’s passed on to
cbr0, which makes the ARP request to find the destination.
- It comes out of
cbr0to the main network interface
eth0since nobody on this node has the IP address for
- It leaves the machine
node1onto the wire with
- The route table has routes setup for each of the node CIDR blocks, and it routes the packet to the node whose CIDR block contains the
- So the packet arrives at
node2at the main network interface
Now even though
pod4isn’t the IP of
eth0, the packet is still forwarded to
cbr0since the nodes are configured with IP forwarding enabled.
The node’s routing table is looked up for any routes matching the
pod4IP. It finds
cbr0as the destination for this node’s CIDR block.
You may list the node route table using
route -ncommand, which will show a route for