mjwolf
commented
1 year ago Hi, host isolation is not supported with kubernetes. This is because it would have some undesirable behavior in kubernetes.
If you were to isolate a node, all workloads running on that node would become unhealthy, and would be rescheduled on another node. Depending on the nature of the problem you're trying to isolate, the problem could be reintroduced when the pod is restarted on another node.
Also the cluster auto-scaler would likely detect the node is unhealthy, and kill the underlying VM, so it won't be available to un-isolate or use to investigate the problem later.
As a workaround, you could use the kubernetes API, or kubectl, to change things to do something similar to host isolation. Either add NoExecute taint to the node to stop all pods from running on it, modify the network service to make the pods unreachable or change the workload resources to stop pods from running could be ways to isolate or stop problems.
xxxmadxxx
nfritts
Hi,
I have an Kubernetes cluster that I'm implementing the following manifest: https://raw.githubusercontent.com/elastic/endpoint/main/releases/8.6.0/kubernetes/deploy/elastic-defend.yaml
When I look at my cloud fleet I'm seeing that host isolation is not working. It was supposed to work? If not, why? Maybe with the "why" I can try to solve it here and get a workaround.