-
|
I've been successfully testing a k3s server with IPv4/IPv6 dual stack but am wondering if it is somehow possible to secure services across namespaces. Since network policies need to be disabled to run k3s in dual stack mode all pods can access all services when the DNS is known. Can I do something about this? I'd really prefer if pods can't just access other namespaces services without me explicitly allowing them to. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
|
K3s does not ship with any network policies, so unless you're deploying your own network policies to secure your workload, what you describe is possible regardless of whether or not you have the network policy controller enabled. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, what I'm trying to say is if there is any way to get network policies working when running a dual stack cluster. E.g. following this example doesn't work: https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/04-deny-traffic-from-other-namespaces.md I assume this is because of me having to use |
Beta Was this translation helpful? Give feedback.
-
|
You would need to deploy a different CNI that does support dual-stack and network policy enforcement. K3s ships with flannel, which does not do network policy at all. To fill that gap, we have packaged the kube-router network policy controller, which does not support ipv6 yet. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! I assume this relates to cloudnativelabs/kube-router#307 and a possible workaround would be to replace flannel with Calico (https://www.adyxax.org/blog/2021/07/27/making-dual-stack-ipv6-work-with-k3s/). I'll keep that in mind when futher investigating this topic. |
Beta Was this translation helpful? Give feedback.
-
|
Hello. I have one cluster IPv6-only.
I've just tried Cilium because of that. Unfortunately, it doesn't support any tunnel mode (VXLAN) in IPv6. As version 2 of |
Beta Was this translation helpful? Give feedback.
-
|
This is a really old discussion you're responding to. We did the work to add ipv6 support to the network policy controller, and contributed that upstream to what became v2 of the kube-router NPC. We have been shipping it for months. |
Beta Was this translation helpful? Give feedback.
K3s does not ship with any network policies, so unless you're deploying your own network policies to secure your workload, what you describe is possible regardless of whether or not you have the network policy controller enabled.