9. Improving security by extending CNI policy enforcement.

(available in Netris v. 2.10.0 to be released in 09/2020)

   The best place to restrict traffic is the closest to its origin. In case of traffic between pods, many CNI plugins are doing a great job of policy enforcement close to the pod to a various extent (learn more about CNI plugins at Cluster Networking Kubernetes doc). 

   But how about traffic destined to pod but originated outside Kubernetes cluster, say incoming traffic from the Internet or other systems connected to the same physical network. Of course, some CNI plugins would enforce that traffic too. However, Netris extends the restriction mechanism to your border router to prevent unwanted traffic from entering your network. 

   Netris is extending CNI policy enforcement to your border routers and network switches automatically. Netris controller syncs policy data constructs from your Kubernetes cluster and generates smart rules to restrict unwanted traffic as close to its origin as possible with minimal or no impact on overall network performance.

   Netris DPDK router/load-balancer applies L3-L7 rules automatically derived from Kubernetes network policies, from CiliumNetwork policies, and Calico network policies. Enforcement happens in DPDK application and involves only the traffic destined to Kubernetes pods (i.e., exposed services through Load Balancer service). This approach allows for the most optimal use of CPU resources as CPU intensive L7 operations are applied only against the relevant traffic. 

   Netris managed switches deploy L3-L4 rules automatically derived from Kubernetes network policies to restrict unwanted traffic originated in other systems co-existing on the same physical network. Switches enforce policies using the capabilities of switching silicon (ASIC); thus, policy rules don’t imply any performance degradation. The caveat here is that the number of policies per switch is limited (varies across ASIC vendors). However, Netris uses optimization algorithms to minimize the number of rules being pushed into ASIC and prevent misuse of ASIC’s filtering functionality and potential failure.