K3s: [Documentation] What does it mean to disable the default k3s network policy? And more details on Network Policy
Opened via https://github.com/rancher/docs/issues/2178 we use rancher/k3s for tracking docs currently as it's easier to manage on our boards.
What exactly does disable network policy do? From a user standpoint, I don’t see any docs on what the network policy is to begin with (google “k3s network policy” or search the docs page). So, I'm not not sure what is being disabled when I use the --disable-network-policy flag or how it correlates to other flags such as the group for networking:
--cluster-cidr value (networking) Network CIDR to use for pod IPs (default: "10.42.0.0/16")
--service-cidr value (networking) Network CIDR to use for services IPs (default: "10.43.0.0/16")
--cluster-dns value (networking) Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)
--cluster-domain value (networking) Cluster Domain (default: "cluster.local")
--flannel-backend value (networking) One of 'none', 'vxlan', 'ipsec', or 'flannel' (default: "vxlan")
Further, we should talk about network policy in general some - not just what it means to disable default k3s network policy.
davidnuzik
All 3 comments
This is actually a good question and caught me by surprise when a network policy was being enforced despite my understanding that flannel doesn't support them.
I dug around a bit and it looks like k3s implements an internal network policy controller based on the kube-router one, you can see PR #913 when it was added. So I'm doing some digging to see if i can assist with updating the documentation around this some.
Does the internal network policy controller have to be disabled if installing something like Calico? Also since this is fundamentally different than Kubernetes afaik, it should probably be documented that this controller exists in the first place and some details on how to use it.
keslerm
on 28 Apr 2020
In docs we may want to touch on this upstream issue as well: https://github.com/cloudnativelabs/kube-router/issues/873
davidnuzik
on 29 Jul 2020
I am also wondering with the option to disable kube-proxy, we can run cilium and kube-router, does using kube-router mean we can use their NPC instead? The issue I linked above is trying to apply this policy but it doesn't work when using cilium + kube-router. Sorry if this question doesn't make much sense I am new to this :D
onedr0p
on 2 Oct 2020
Related issues
ibuildthecloud
·
4Comments
ashrafgt
·
3Comments
ewoutp
·
4Comments
theonewolf
·
3Comments
joakimr-axis
·
3Comments
Most helpful comment
This is actually a good question and caught me by surprise when a network policy was being enforced despite my understanding that flannel doesn't support them.
I dug around a bit and it looks like k3s implements an internal network policy controller based on the kube-router one, you can see PR #913 when it was added. So I'm doing some digging to see if i can assist with updating the documentation around this some.
Does the internal network policy controller have to be disabled if installing something like Calico? Also since this is fundamentally different than Kubernetes afaik, it should probably be documented that this controller exists in the first place and some details on how to use it.