multi-networkpolicy implementation with nftables
It is now being actively developed and is not stable yet. Bug reports and feature requests are welcome.
Kubernetes provides Network Policies for network security. Currently net-attach-def does not support Network Policies because net-attach-def is a CRD (user-defined resource) outside of Kubernetes. multi-networkpolicy implements Network Policy functionality for net-attach-def, by nftables and provides network security for net-attach-def networks.
multi-networkpolicy-nftables runs as a DaemonSet on each Kubernetes node. It watches for MultiNetworkPolicy custom resources and translates them into nftables rules applied directly in pod network namespaces.
- Controllers (
pkg/controllers/): Watch Kubernetes resources (Pods, Namespaces, MultiNetworkPolicies, NetworkAttachmentDefinitions) using client-go informers. - Server (
pkg/server/): Core orchestration and sync loop that coordinates controllers and triggers rule generation. - Rule Generator (
pkg/server/netfilterrules.go): Translates MultiNetworkPolicy specs into nftables rule sets using the google/nftables library.
- The daemon watches for changes to MultiNetworkPolicy resources and related objects (Pods, Namespaces, NetworkAttachmentDefinitions).
- On each sync cycle, it determines which pods are affected by which policies.
- For each affected pod, it enters the pod's network namespace and applies nftables rules that enforce the specified ingress/egress policies.
- When policies are removed, the corresponding nftables rules are cleaned up automatically.
Install MultiNetworkPolicy CRD into Kubernetes.
$ git clone https://github.com/k8snetworkplumbingwg/multi-networkpolicy
$ cd multi-networkpolicy
$ kubectl create -f scheme.yml
customresourcedefinition.apiextensions.k8s.io/multi-networkpolicies.k8s.cni.cncf.io created
Deploy multi-networkpolicy-nftables into Kubernetes.
$ git clone https://github.com/telekom/multi-networkpolicy-nftables
$ cd multi-networkpolicy-nftables
$ kubectl create -f deploy.yml
clusterrole.rbac.authorization.k8s.io/multi-networkpolicy created
clusterrolebinding.rbac.authorization.k8s.io/multi-networkpolicy created
serviceaccount/multi-networkpolicy created
daemonset.apps/multi-networkpolicy-ds-amd64 created
This project leverages nftables hence the netfilter module needs to be loaded on the container host:
# modprobe nf_ct
# modprobe nf_tables
See Configurations.
- Go 1.24+ (see go.mod for exact version requirements)
- Linux with nftables support (for tests)
- Docker (for container image builds)
- kind (for e2e tests)
- Bats (for e2e tests; install via
brew install bats-coreor your package manager)
go build ./cmd/multi-networkpolicy-nftables/Unit tests require root privileges for nftables operations:
sudo modprobe nft_ct
sudo go test -v ./...golangci-lint runEnd-to-end tests use kind to create a cluster with Calico, Multus, and bond-cni:
cd e2e
./get_tools.sh
./setup_cluster.sh
./run_all_tests.sh- Improved e2e test coverage and reliability
- Enhanced CI/CD pipeline with caching and security scanning
- Performance benchmarks for rule generation
For any questions about Multus CNI, feel free to ask a question in #general in the NPWG Slack, or open up a GitHub issue. Request an invite to NPWG slack here.