Should I Separate Networks for Management and Cluster in Kubernetes?

By
Keven Krok
-
0
5
Asked By CuriousCoder42 On

I'm setting up an on-prem k3s Kubernetes cluster for a telco application, and I'm considering whether I should separate the networks like we did in the past, creating dedicated networks for management, cluster, and public access. The environment is entirely closed off from the public internet, exposing services through MetalLB in L2 mode with a private VIP, secured by firewalls and VPNs. Corporate policy recommends a clear separation of networks: a management network for logging into nodes and performing updates, a cluster network for Kubernetes operations, and a public network for announcing VIPs. My question is, does this make sense? I feel like the cluster network along with proper NetworkPolicies should suffice for security. The management network seems unnecessary because those maintaining the nodes would still need access to the cluster network. The public network seems the only logical separation, but if everything is firewalled and network policies are tight, I think the risk is lower. What do others think about separating networks in production Kubernetes environments? Is it excessive, or are there hidden security risks I'm not considering?

4 Answers

Answered By KubeMaster9 On

You might rethink separating networks since Kubernetes already supports robust policies to manage access and traffic. Managing everything on one network with proper mTLS and policies could be less of a hassle and still secure.

Answered By NetworkNinja88 On

Modern network security often relies on endpoint protection and mTLS (mutual TLS), so separating networks might not be necessary. Instead, you could implement Kubernetes network policies to manage traffic within the cluster effectively.

Answered By SecuritySleuth22 On

It’s definitely doable, but requires careful planning. You could separate management application traffic (like ArgoCD and Grafana) using different ingress configurations. If everything is firewalled, you can secure those endpoints, but it might not prevent issues if a host is compromised. What's your overall threat model? If you're in a telco environment, you'd probably want to minimize traffic and exposure as much as possible.

Answered By DevOpsDude7 On

Having separate networks can complicate things, but sometimes it's beneficial for specific use cases like the data plane. In some of our on-prem RKE2 setups, we combined data plane and management traffic on one network while keeping workloads on another.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.