For one of our projects, we need to have zero trust between two pods of the same node in a cluster. I tried using the openZiti tunneler with a sidecar proxy but I got to know that for each pod, it would need kernel access to change the loopback. Is there any workaround for this or any other suggestions to bring about zero trust between two pods of the same node would really help.
That sounds like an interesting use case, @prasadakhil97. Welcome to the forum!
An OpenZiti tunneler as a Docker or Kubernetes sidecar proxy provides bi-directional OpenZiti service traffic (transparent proxy w/ DNS and reverse proxy) for that specific container network (Docker) or pod (Kubernetes).
In Docker, the default is a separate container network for each container while sharing a bridge (LAN), so the containers are joined at the data link layer. However, it is also possible to configure any two or more containers to share a container network interface.
In Kubernetes, all containers in a pod share a network interface, including resolver configuration, loopback device, firewall rules, and primary interface (CNI).
This is implemented with network namespaces, a feature of Linux, and does provide isolation by design for pods on the same node.
Specifically, the TPROXY firewall rules that effect "interception" for the container are inside the container network namespace that's used by all containers in the pod, so they're isolated from all other pods on the same host in that way.
Are you looking for a different, specific isolation type not covered by this approach?
I'd love to hear more!
Yes, we want to have zero trust setup for each pod for one of the security projects we are working on. We need encryption for traffic between the pods of the same node. Hence, we were looking at this.