Azure CNI
Palette supports Azure Container Network Interface (CNI) networking for Azure Kubernetes Service (AKS) clusters. Azure CNI enables each pod to have exclusive IP addresses from the subnet with direct accessibility.
To allocate unique IP addresses to individual pods, advanced forethought needs to be put in. As per the maximum pods supported by a node, IP addresses need to be reserved in advance. The default maximum number of pods per node varies between kubenet and Azure CNI networking and based on the method of cluster deployment.
Versions Supported
- 1.4.x
1.4.0
Azure CNI Policy Support
Network Policy is a Kubernetes specification that defines access policies for communication between pods. By default, AKS cluster pods can send and receive traffic without limitations. However, to ensure security, rules to control traffic flow can be defined. Network Policies define an ordered set of rules to send and receive traffic and applies them to a collection of pods that match one or more label selectors. Palette enables Network Policies to be included as part of a wider manifest that also creates a deployment or service. Palette leverages two (2) Network Policies from Azure CNI:
-
azure: Azure's own implementation, called Azure Network Policy.
-
calico: An open-source network and network security solution founded by Tigera.
Palette users can choose any one of the above Network Policies and provide it to the pack YAML file as networkPolicy
as given below:
pack:
# The Network policy for ingress and egress traffic between pods in a cluster. Supported values are none, azure, calico
networkPolicy: "none"
Provide the networkPolicy value as none if no policy to be applied.
Azure and Calico Policies and their Capabilities
| Capability | Azure | Calico |
|---|---|---|
| Supported platforms | Linux | Linux, Windows Server 2019 and 2022 |
| Supported networking options | Azure CNI | Azure CNI (Linux, Windows Server 2019 and 2022) and kubenet (Linux) |
| Compliance with Kubernetes specification | All policy types supported | All policy types supported |
| Additional features | None | Extended policy model consisting of Global Network Policy, Global Network Set, and Host Endpoint. For more information on using the calicoctl CLI to manage these extended features, see calicoctl user reference guide. |
| Support | Supported by Azure Support and Engineering team | Calico community support. |
| Logging | Rules added or deleted in IP Tables are logged on every host under /var/log/azure-npm.log | For more information, see Calico component logs |
Make sure to use Azure CNI with the Windows operating system as the kubenet is not available for the Windows environment.