CN2 Namespace isolation

0:00 cn2 brings high performance and high

0:02 functionality routing and switching into

0:04 the server this means that we can easily

0:06 create segments and partitions within

0:08 the cluster with segmentation not

0:10 everything has to be a network policy we

0:13 can have a much more abstract level of

0:15 isolation and use micro segmentation to

0:18 further isolate within a function

0:19 isolated namespaces resolves one of the

0:22 key challenges of kubernetes networking

0:24 which is that

0:26 it is a flat Network this means that

0:29 with kubernetes networking

0:31 there is one subnet for all pods one for

0:34 inter cluster services and one for

0:36 externally exposed services

0:39 this becomes a big challenge when you

0:41 want to isolate more in your cluster to

0:43 see the advantages of this feature in

0:45 real world applications we have a

0:48 cluster set up on ews eks with cn2 as

0:51 the cluster cni additionally we're

0:54 running Google Boutique and e-commerce

0:56 microservices application

0:58 this application has two transactional

1:01 modules

1:03 front end and checkout and the remaining

1:05 are static modules so you can think of

1:07 it as your backend with isolated

1:10 namespaces you get your own pair of

1:13 virtual networks one for pods and the

1:15 other four services

1:18 to interconnect between the namespaces

1:22 cn2 facilitates interconnectivity

1:24 patterns like mesh or Hub and spoke for

1:28 our purposes we have used Hub and spoke

1:30 in here we have isolated namespace 1 and

1:34 isolated namespace 2 which acts as the

1:37 Hub

1:39 for the blue Hub we have connectivity

1:42 with

1:43 red purple and yellow and green

1:47 and for the green Hub we have

1:48 connectivity with red purple and yellow

1:51 on the bottom right corner you will see

1:53 the Google booty cap

1:55 let's go ahead and purchase a watch

1:58 have to cut

2:01 place order

2:02 as you can see the order is complete now

2:05 we'll try and see if we can disconnect

2:07 our purple spoke from the green hub

2:11 so we won't be able to access the cart

2:13 let us start by looking at the

2:15 namespaces

2:20 as we can see here we have

2:23 five different namespaces each

2:26 pertaining to the Box described here if

2:29 we go further in we'll be able to

2:31 identify

2:33 the parts associated

2:36 with these namespaces

2:38 so for blue you see front end and low

2:40 generator and so on

2:42 now let's quickly look into the vegan

2:44 hours as well

2:50 as you can see here we see the two hubs

2:53 that's blue and green and then the

2:55 remaining are spokes and let's edit the

2:58 purple spoke

3:02 let's tag the green Hub with a dummy

3:08 and this should help us disconnect the

3:11 purple from the green

3:16 now let's try adding the watch again

3:19 add to cart

3:23 place order

3:25 and as you can see

3:26 we can't proceed ahead

3:28 this errors out so now you can see an

3:31 error message

3:32 let's go back and revert our changes

3:46 let's refresh the page

3:52 and are always complete isolated

3:54 namespaces not only helps with

3:57 segmentation and ease of isolation

4:00 it also helps with security

4:04 kubernetes allows traffic by default so

4:07 it is insecure by default

4:09 and you make it secure by applying

4:10 Network policies

4:12 whereas when we start switching to

4:14 isolated namespaces we are secure by

4:16 default and we need to set up

4:18 communication like vnrs to communicate

4:21 between two namespaces