Network Policies in Gardener
Seed clusters can host the Kubernetes control planes of many
Shoot clusters, it is necessary to isolate the control planes from each other for security reasons.
Besides deploying each control plane in its own namespace, Gardener creates network policies to also isolate the networks.
Essentially, network policies make sure that pods can only talk to other pods over the network they are supposed to.
As such, network policies are an important part of Gardener’s tenant isolation.
Gardener deploys network policies into
- each namespace hosting the Kubernetes control plane of the Shoot cluster.
- the namespace dedicated to Gardener seed-wide global controllers. This namespace is often called
gardenand contains e.g. the Gardenlet.
kube-systemnamespace in the Shoot.
The aforementioned namespaces in the Seed contain a
deny-all network policy that denies all ingress and egress traffic.
This secure by default setting requires pods to whitelist network traffic.
This is done by pods having labels matching to the selectors of the network policies deployed by Gardener.