Module Description

This module manages network policies.

Deckhouse implements a conservative approach to organizing the network based on elementary network backends, such as “pure” CNI or flannel in the host-gw mode. This approach is reliable and straightforward and turned out to be the best.

The NetworkPolicy implementation in Deckhouse is also solid and straightforward. It is based on kube-router in the Network Policy Controller mode (--run-firewall). In this case, kube-router transforms NetworkPolicy network policies into iptables rules. The latter, in turn, work with any installations (regardless of the cloud or the CNI used).

The network-policy-engine module deploys a d8-system Daemonset in the namespace with kube-router in the Network Policy Controller mode. As a result, the Kubernetes cluster fully supports Network Policies.

The following policy description formats are supported:

  • API
  • network policy V1/GA semantics
  • network policy beta semantics

Example recipes are available here.