Rasika Subramanian, Staff Product Manager, Juniper Networks

CN2 Namespace isolation

Demo Drop Telco Cloud
Rasika Subramanian Headshot

CN2 brings high performance and high functionality routing and switching into the server. In this demo, CN2 uses namespace isolation as an additional level of abstraction to easily create secure network partitions to solve a key challenge of Kubernetes flat networking.

Show more

You’ll learn

  • About segmentation

  • Key challenges with Kubernetes networking

Who is this for?

Network Professionals Security Professionals


Rasika Subramanian Headshot
Rasika Subramanian
Staff Product Manager, Juniper Networks


0:00 cn2 brings high performance and high

0:02 functionality routing and switching into

0:04 the server this means that we can easily

0:06 create segments and partitions within

0:08 the cluster with segmentation not

0:10 everything has to be a network policy we

0:13 can have a much more abstract level of

0:15 isolation and use micro segmentation to

0:18 further isolate within a function

0:19 isolated namespaces resolves one of the

0:22 key challenges of kubernetes networking

0:24 which is that

0:26 it is a flat Network this means that

0:29 with kubernetes networking

0:31 there is one subnet for all pods one for

0:34 inter cluster services and one for

0:36 externally exposed services

0:39 this becomes a big challenge when you

0:41 want to isolate more in your cluster to

0:43 see the advantages of this feature in

0:45 real world applications we have a

0:48 cluster set up on ews eks with cn2 as

0:51 the cluster cni additionally we're

0:54 running Google Boutique and e-commerce

0:56 microservices application

0:58 this application has two transactional

1:01 modules

1:03 front end and checkout and the remaining

1:05 are static modules so you can think of

1:07 it as your backend with isolated

1:10 namespaces you get your own pair of

1:13 virtual networks one for pods and the

1:15 other four services

1:18 to interconnect between the namespaces

1:22 cn2 facilitates interconnectivity

1:24 patterns like mesh or Hub and spoke for

1:28 our purposes we have used Hub and spoke

1:30 in here we have isolated namespace 1 and

1:34 isolated namespace 2 which acts as the

1:37 Hub

1:39 for the blue Hub we have connectivity

1:42 with

1:43 red purple and yellow and green

1:47 and for the green Hub we have

1:48 connectivity with red purple and yellow

1:51 on the bottom right corner you will see

1:53 the Google booty cap

1:55 let's go ahead and purchase a watch

1:58 have to cut

2:01 place order

2:02 as you can see the order is complete now

2:05 we'll try and see if we can disconnect

2:07 our purple spoke from the green hub

2:11 so we won't be able to access the cart

2:13 let us start by looking at the

2:15 namespaces

2:20 as we can see here we have

2:23 five different namespaces each

2:26 pertaining to the Box described here if

2:29 we go further in we'll be able to

2:31 identify

2:33 the parts associated

2:36 with these namespaces

2:38 so for blue you see front end and low

2:40 generator and so on

2:42 now let's quickly look into the vegan

2:44 hours as well

2:50 as you can see here we see the two hubs

2:53 that's blue and green and then the

2:55 remaining are spokes and let's edit the

2:58 purple spoke

3:02 let's tag the green Hub with a dummy

3:08 and this should help us disconnect the

3:11 purple from the green

3:16 now let's try adding the watch again

3:19 add to cart

3:23 place order

3:25 and as you can see

3:26 we can't proceed ahead

3:28 this errors out so now you can see an

3:31 error message

3:32 let's go back and revert our changes

3:46 let's refresh the page

3:52 and are always complete isolated

3:54 namespaces not only helps with

3:57 segmentation and ease of isolation

4:00 it also helps with security

4:04 kubernetes allows traffic by default so

4:07 it is insecure by default

4:09 and you make it secure by applying

4:10 Network policies

4:12 whereas when we start switching to

4:14 isolated namespaces we are secure by

4:16 default and we need to set up

4:18 communication like vnrs to communicate

4:21 between two namespaces

Show more