This message was deleted.

How about Calico? I'm specifically interested in getting Traefik Ingress working with Calico on single node K3s.

You’re saying you need network policies beyond what core Kubernetes supports in the NetworkPolicy resource?

Well, kube-ovn used openvswitch underneath, so I could assign a IP cidr to a namespace.... like a vlan for each tenant. Then I was setting some allow/deny policies between tenant namespaces as well as some QoS limits between namespace subnets where traffic was allowed. Right now, I'd love to just get namespace isolation between a few tenant namespaces. I think I've got that setup with Calico now, or at least it'd seem so, however it doesn't appear that Flannel supports those allow/deny policies at all. But the problem with Calico is that none of my Traefik ingresses are functioning. All restricted namespaces do allow traffic from kube-system...so I don't think the policies are screwing traefik up.

k3s ships with the kube-router netpol controller, so it does support (and enforce) everything that you can express in a NetworkPolicy resource.

🤔 So deploying the policies for namespace isolation must not be working for other reasons.

it should work right out of the box, if you’re using the flannel cni and kube-router netpol controller that come with k3s

The network policy looks like so:

apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: t1-allow-ingress-from-t2-and-t3
  namespace: t1
spec:
  podSelector:
    matchLabels: {}
  ingress:
    - from:
        - namespaceSelector:
            matchExpressions:
              - { key: name, operator: In, values: [kube-system, t1, t2, t3] }

where tN refers to tenant1..N

I think that would match no pods? As per the upstream docs:

podSelector: Each NetworkPolicy includes a podSelector which selects the grouping of pods to which the policy applies. The example policy selects pods with the label "role=db". An empty podSelector selects all pods in the namespace.

You don’t have an empty podSelector. You have a podSelector with an empty label selector.

Have to say, Kube-OVN worked great, but powers-that-be nixed it because China.

I’m disappointed to hear that an open-source project was nixed due to political reasons. It’s unfortunate that geopolitical factors are impacting the decision.

@creamy-pencil-82913 nice catch, I'm not sure if that's in there from my mistake or copy-pasta from a guide I found.

kube-ovn (from Alauda, Chinese company) is a CNCF project (as of 2021). Somewhat confusing, a separate effort from Red Hat called ovn-kubernetes is not a CNCF project nor part of the k8s networking sig. Red Hat has incorporated k8s user defined networks with its ovn-kubernetes.

OVN-Kubernetes has recently become a CNCF project as well. However, it’s primarily used in OpenShift environments.

i didn't know that. thanks @thousands-beard-257

Indeed, both Kube-OVN and ovn-kubernetes are built on top of OVN and will likely converge in capabilities over time. The main difference lies in their initial design approaches: - Kube-OVN exposed more OVN native SDN capabilities early on (VPC, Subnet, ACL etc.) - ovn-kubernetes initially focused more narrowly on Kubernetes networking requirements With OpenShift’s virtualization focus, they’ll likely need similar SDN features that Kube-OVN already provides. The projects may become more aligned in the future as requirements converge.