Hey folks! I'm working on setting up multiple RKE2 Kubernetes clusters using Rancher in an on-prem environment, and I could really use your input. Right now, we have virtual machines that are set up with two network interfaces: one for management and another for application traffic. The challenge we're facing is that most Container Network Interfaces (CNIs) only support bridging pods on a single network interface. This means that our API server would need to operate over the application VLAN, which raises some security concerns with our team. They're hesitant to allow any administration over that VLAN due to strict infrastructure security measures. I'm curious how others have navigated this situation. Have you discussed it with your security or infrastructure teams? Any practical advice or experiences you could share?
3 Answers
Consider setting up host firewall rules. You can configure your API server to bind to 0.0.0.0:6443 (or whatever port you’re using) but restrict access to that port solely through the management VLAN. Alternatively, you could avoid giving control plane nodes an IP on the application VLAN, letting the worker nodes connect to the servers via a DNS name that only resolves on the management VLAN. Just a heads-up though, managing multiple networks can be quite complex, so weigh the pros and cons!
You might want to look into using Multus! It's really versatile and lets you attach multiple network interfaces to your pods. For instance, with KubeVirt VMs, you don’t have to expose the pod network to the guest; they behave like traditional VMs. Plus, you can set up Multus interfaces as egress gateways, which is super useful along with good network policies. Just think of it like how you manage VMkernel ports and ports in VMware — it can really simplify your setup.
Using load balancers might be a straightforward solution! You could place your control plane on the management network, accessible only through a load balancer where you can whitelist IPs. Meanwhile, keep your workers and their load balancer on the application network. This setup keeps your architecture simpler and more secure, ultimately directing all traffic through the load balancer instead of going direct.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically