Open Levovar opened 4 years ago
Umbrella ticket, implemented by: https://github.com/nokia/danm-utils/pull/6 https://github.com/nokia/danm-utils/pull/8 https://github.com/nokia/danm-utils/pull/10
After the latest change https://github.com/nokia/danm-utils/pull/15 the first phase of Policer is done. Multi-interface aware and CNI agnostic centralized micro-segmentation in Kubernetes is officially a thing (see example at the end of the PR).
This ticket now morphs into a Policer umbrella, tracking the various known enhancements still needing implementation.
DANM Policer Progress
DANM is already capable of providing macro-segmentation via managing physical L2 domains. However in a truly secure, no-trust networking envrionment it is expected to have multiple layers of security. In such an environment micro-segmentation, aka. possibility to isolate Pods from each other even when they are connected to the same L2 domain is required.
A new DANM utility could be added to implement this requirement, in the usual, 100% API-driven and multi-network aware manner. The Controller can be driven by a CRD-based API, which is almost similar to the existing NetworkPolicy API, but with a little multi-interface twist in it. Reason not to-reuse the NetworkPolicy API is to avoid collusion with existing, single interface restricted Controller implementations.