@Tornado, hello and thank you for your compliment! Unfortunately I don't have a video on setting up a dual network stacked cluster. I may consider such a video for the future depending on demand. Thanks.
thanks a lot for posting this; I have one question related to setting up network policies; we have a use case wherein multiple applications are sitting in their own namespaces and these applications are accessible through the ingress controller using ingress; we want to whitelist traffic coming to each namespace using tools like calico; I found that although we are able to get the source ip of the client visible in the ingress controller, the application pods only receive the source ip of the ingress controller; I did manage to get the source ips in the request headers and looks like I will have to try istio for further traffic whitelisting on the basis of the headers; my question is, is this approach good or is there a better way to achieve what I want to achieve.
so suppose I want client A to access application in namespace X but not application in namespace Y; how to whitelist this at the namespace level when this client is coming from outside the cluster using the ingress controller
Hi, Which IPs are you referring to? The IP addresses of clients that are calling from outside the cluster? In that case, you'll need to leverage a firewall that sits before the external load balancer and ingress controller. This is because as you noticed the client IPs are natted.
@@TheLearningChannel-Tech yes, want to whitelist address of clients calling from outside the cluster; after using proxy protocol feature of the ingress controller, am able to see the actual client ips in the ingress controller; but am still trying to figure out how to get these ips whitelisted in the application pods which are reached through the ingress and are sitting in different namespaces per application
I am coming to think that istio might be the solution here and will try that out; I don't think calico can help here. I read about the calico eBPF dataplane but not sure on it.
Hi sir your video are very great source of information do you any installation video for kubernetes with dual stack with ipv4 and ipv6
@Tornado, hello and thank you for your compliment! Unfortunately I don't have a video on setting up a dual network stacked cluster. I may consider such a video for the future depending on demand. Thanks.
Good material
thanks a lot for posting this; I have one question related to setting up network policies; we have a use case wherein multiple applications are sitting in their own namespaces and these applications are accessible through the ingress controller using ingress; we want to whitelist traffic coming to each namespace using tools like calico; I found that although we are able to get the source ip of the client visible in the ingress controller, the application pods only receive the source ip of the ingress controller; I did manage to get the source ips in the request headers and looks like I will have to try istio for further traffic whitelisting on the basis of the headers; my question is, is this approach good or is there a better way to achieve what I want to achieve.
so suppose I want client A to access application in namespace X but not application in namespace Y; how to whitelist this at the namespace level when this client is coming from outside the cluster using the ingress controller
Hi,
Which IPs are you referring to? The IP addresses of clients that are calling from outside the cluster? In that case, you'll need to leverage a firewall that sits before the external load balancer and ingress controller. This is because as you noticed the client IPs are natted.
@@TheLearningChannel-Tech yes, want to whitelist address of clients calling from outside the cluster; after using proxy protocol feature of the ingress controller, am able to see the actual client ips in the ingress controller; but am still trying to figure out how to get these ips whitelisted in the application pods which are reached through the ingress and are sitting in different namespaces per application
so the intention is to filter at the namespace level with each namespace allowing a different set of ips to access the application it contains;
I am coming to think that istio might be the solution here and will try that out; I don't think calico can help here. I read about the calico eBPF dataplane but not sure on it.