Network Segmentation
Network segmentation is a common practice to ensure isolation between tenants. In Kubernetes, Kube-OVN is a network plugin that provides advanced networking capabilities such as isolation through Virtual Private Clouds (VPCs), security policies, and subnet segregation.
Kube-OVN, as its name implies, is an integration of the OVN/OVS based networking with Kubernetes. Multi-tenancy with VPCs is generally considered a best practice. Kube-OVN enables multi-tenant networking in Kubernetes by introducing a new set of networking CRDs:
- VPC
- Subnet
- NAT-Gateway
Info
Read our introductory and customization blogs on kube-ovn to learn how users can customize and use Kube-OVN on Rafay MKS clusters.
Watch a video showcasing how users can customize and configure Kube-OVN as the primary CNI on Rafay MKS Kubernetes clusters.
Why is Segmentation Important for Multi Tenancy?¶
In the section below, we describe why network segmentation is a critical control to achieve multi-tenancy in a shared Kubernetes environment.
Fine-Grained Network Isolation¶
Native Kubernetes networking assumes all Pods can communicate with each other. For multi-tenancy, strict isolation is essential, especially in shared environments. Kube-OVN supports the creation of VPCs, subnets, and logical routers, enabling network segmentation at a tenant level. With this, you can:
- Isolate network traffic between different tenants (e.g., teams, departments, or applications).
- Prevent unauthorized cross-communication between namespaces.
Support for Virtual Private Clouds (VPCs)¶
Multi-tenancy often requires each tenant to feel as though they have their own dedicated network environment, akin to traditional cloud VPCs. Kube-OVN allows you to create VPC-like constructs in Kubernetes, where each tenant can have its own private network with separate subnets, routes, and policies.
Advanced Security Features¶
Native Kubernetes NetworkPolicies are limited in scope and lack some of the more advanced features needed for multi-tenant environments. Kube-OVN supports advanced security capabilities such as:
- Security groups and ACLs: Define ingress/egress rules at the network level to restrict traffic between Pods, subnets, or namespaces.
- Policy-based traffic control: Apply fine-grained policies to allow or deny traffic between tenants or external resources.
Tenant-Level Resource Allocation¶
In a shared cluster, ensuring fair and isolated resource allocation is critical to prevent tenant interference. With Kube-OVN, you can assign unique subnets and IP pools to specific tenants or namespaces. This ensures:
- No IP conflicts between tenants.
- Network traffic accounting and bandwidth control per tenant.
Logical Routing and NAT¶
Multi-tenancy often requires tenants to access shared external services while maintaining internal network isolation. Kube-OVN includes a built-in logical router to handle routing between subnets, VPCs, and external networks. It also supports NAT for accessing external services securely.
Cross-Tenant and External Connectivity¶
Tenants often need controlled access to shared databases, APIs, or legacy systems without compromising isolation. Kube-OVN provides static routes and BGP support, allowing tenants to connect securely to external networks, shared services, or other clusters.