Isolating kubernetes namespaces using NSX-T distributed firewall (DFW) Rules
search cancel

Isolating kubernetes namespaces using NSX-T distributed firewall (DFW) Rules

book

Article ID: 316817

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

By default all pods in all namespace can communicate with each other. A set of DFW rules should be created in order to deny all the traffic from other namespaces while allowing all the traffic coming from the same namespace the pod is deployed to.

Environment

VMware PKS 1.x

Resolution

You can create DFW rules in such a way that only pods inside a namespace can reach each other, but intra-namespace connections should not be allowed. These rules can be created manually per the following guidelines:
  • On top, you will create a rule with source and destination as the same namespace subnet and set to Allow.
  • On the bottom, the source should be ANY, the destination should be namespace subnet and set to Deny.
  • After the second rule, create a rule for Egress Traffic wherein the source should be namespace subnet, the destination should be ANY and set to Allow.


Powered by Wolken Software