Expand description
Kubernetes NetworkPolicy enforcement for EC2 security groups (#1745 ph4).
The Docker backend filters traffic with host nftables (phase 3). k8s Pods
share a flat L3 network with no bridge to hook, so isolation there is
expressed as NetworkPolicy objects (L3/L4 pod/IP selectors) and enforced
by the cluster CNI — if the CNI enforces NetworkPolicy at all. Several
common CNIs (notably kind’s default kindnet) ignore NetworkPolicy, so this
module always creates the (correct) policies and degrades gracefully:
it detects the CNI, warns once when enforcement isn’t guaranteed, and never
blocks Pod creation on it.
§Pluggable CNI
CniDriver abstracts “does this cluster enforce NetworkPolicy”. Calico is
the first known-enforcing driver; the enum is the extension point for
Cilium/others. Detection is best-effort (presence of the CNI’s API group /
components); unknown CNIs degrade to “create but don’t assume enforcement”.
The policy translation (build_policies) is pure and unit-tested; the
apply path lives in the k8s client.
Enums§
- CniDriver
- Container Network Interface plugins fakecloud knows how to reason about for NetworkPolicy enforcement. The pluggable seam: add a variant + detection to support a new enforcing CNI.
Functions§
- build_
policies - Build one NetworkPolicy per instance from the shared flattened rules. Each
policy selects its instance Pod and restricts ingress/egress to the CIDRs +
ports its security groups allow.
instance_labelis this fakecloud process’s ownership label, stamped on every policy so the reaper can prune policies orphaned by a previous process. - policy_
name - Name of the NetworkPolicy backing one instance.