This message was deleted.

I didn’t used it pretty much, but I could share what I played before. It seems it could allow/block/alert traffic by group which is defined by namespace or single pod or else (pic1). You could setup like this (pic2), it means the SSL traffic from this group to external will be handled. Here, this group is defined as namespace. Because this group’s policy mode is

Monitor

, so it won’t block traffic, but alert it. Unless you setup policy mode to

Protect

by switching mode (pic3), then it’ll block traffic. rancher integration: https://ranchermanager.docs.rancher.com/integrations-in-rancher/neuvector/overview neuvector documentation: https://open-docs.neuvector.com/policy/networkrules

Thanks Jack but I tried that and unfortunately NeuVector doesn't see traffic from virtual machines so it cannot apply policies to it - at least I was not able to force it on my Harvester setup (maybe I missconfigured something or I am missing something in general in my network configuration). I checked also KubeVirt which based on their documentation should allow to use standard K8s network policies to limit traffic to specific VM's but also with no result. I know I could use central virtual firewall/router to control traffic but I like idea of distributed firewall which I had in Proxmox and I would like somehow to have it Harvester.

I’m not sure if this one matches your need or not, but I did some works, you could check my demo video. I follow here https://github.com/neuvector/neuvector-helm?tab=readme-ov-file#deploy-in-kubernetes to install in my harvester.

Thanks Jack for testing. I can confirm that for masquerade network it works perfectly but for all other bridged networks it doesn't work as stated in the discussion on Github. So as far as I understand there are two options - somehow expose masqueraded network to my internal network (which defies purpose of masquerade but can be done with some tricks) or use SG feature but my guess is - it is still not there.