Network policy in k8s

• By default all the pods in k8s are open for communication. Network policy is k8s impementation of network firewalls.
• Network policy’s bring this, we can build ingress/egress rules based on
  • CIDR Blocks
  • Pod’s Label selectors
  • namespaces
• Network Policy is part of CNI’s implementation and not all CNI plugins support Network policy, some of the popular CNI plugins which implement network policy are
  • Calico
  • Cilium
  • Kube-router
  • Weave net
• All managed providers give us the option either by default or by add-ons the feature of Network policy
• Refer Here for the specs written
• As discussed in the class we have applied the network policy to pods
• Exercises:
  • Try namespace restrictions
  • Come up with a design to make network policy mandatory in your namespace

Break till 7:25 PM

Storage in kubernetes

• Overview
  
• Components
  • Persistent Volumes: This represents a storage resource in k8s cluster which can be provisioned by admin or dynamically using a storage class
  • Persistent Volume Claims: This is a request for storage with desired characteristics of storage
    • size
    • access mode
    • storage class
  • Storage classes: This is resource in k8s that defines properties and provisioning details for particular class of storage. This abstracts the underlying storage infra complexities and provides a way to simplify using parameters such as volume type, access modes and volume size

CSI (Container storage interface)

• This is a standard for connecting container orchestration tools like k8s with various storage systems or providers.
• This allows us to attach and manage external storage volumes to containers.
• CSI is important in the context of k8s for following reasons
  • Abstraction and Portability
  • Vendor Nuetrality
  • Dynamic Provisioning
  • Snapshot and Cloning
  • Volume expansions
• Refer Here for the vendors