1. Segmenting AI Workload Traffic with CiliumNetworkPolicy


    Segmenting network traffic in a Kubernetes cluster using CiliumNetworkPolicy is an important aspect of cloud infrastructure security and compliance, especially when dealing with sensitive AI workloads. Segmentation provides control over how different parts of your application communicate with each other and access external resources. This is crucial when you have AI applications that need to separate sensitive data from the rest of the network.

    To implement network segmentation in Kubernetes with Cilium, we use CiliumNetworkPolicy, which is a more powerful and flexible way to define security policies than the standard NetworkPolicy offered by Kubernetes. CiliumNetworkPolicy can enforce both L3/L4 (IP/Port) and L7 (Application-aware) policies, and it works by leveraging the eBPF technology in the Linux kernel, allowing for high-performance traffic filtering.

    Below, you'll find a Pulumi program written in Python that illustrates how to define a CiliumNetworkPolicy for segmenting AI workload traffic. The code will include comments to guide you through what each section does.

    Before we dive into the program, make sure you have the following prerequisites in place:

    1. Ensure you have Pulumi installed and configured to work with your preferred cloud provider (the specific instructions may vary by provider and are beyond the scope of this guide).
    2. Make sure you have access to a Kubernetes cluster where you have rights to create and manage resources, and that the cluster has Cilium installed as the CNI (Container Network Interface).
    3. Ensure that kubectl is configured to communicate with your Kubernetes cluster.

    Now, let's start writing the program.

    import pulumi import pulumi_kubernetes as k8s # Define the CiliumNetworkPolicy which will segment AI workload traffic. # This policy will allow egress traffic only to a specific CIDR range # (assuming your AI workloads need to communicate with a specific set of IPs), # and will block all other egress traffic for pods with labels 'app: ai-workload' cilium_network_policy_spec = { "egress": [{ "toEndpoints": [{ "matchLabels": { "k8s:io.kubernetes.pod.namespace": "ai-namespace" } }], "toCIDR": [ "" # Replace with the actual CIDR you want to allow ] }], "endpointSelector": { "matchLabels": { "app": "ai-workload" # Pods with this label will be affected by the policy } } } # Use Pulumi to create the CiliumNetworkPolicy resource. # Replace 'my-ai-network-policy' with a suitable name for your policy, # and 'ai-namespace' with the namespace where your AI workloads are running. cilium_network_policy = k8s.CiliumNetworkPolicy( 'my-ai-network-policy', metadata={ "namespace": "ai-namespace" # The namespace for the CiliumNetworkPolicy }, spec=cilium_network_policy_spec ) # Export the name of the network policy so you can easily identify it # in the Kubernetes cluster after deployment by Pulumi. pulumi.export('network_policy_name', cilium_network_policy.metadata['name'])

    In this program:

    • We define a CiliumNetworkPolicy object.
    • In the egress section, we specify the CIDR range ( in the example) where the AI workloads are allowed to send traffic.
    • In the endpointSelector section, we match the pods affected by this policy using the app: ai-workload label.
    • We declare and export the network_policy_name so you can reference it outside Pulumi, notably to verify its creation and impact using kubectl.

    This policy will enforce that only the selected AI workloads can communicate with the specific IP range, effectively segmenting their traffic. Remember, the actual implementation of the CiliumNetworkPolicy resource may depend on the version and configuration of Cilium installed on your cluster. Be sure to consult the Cilium documentation if needed.

    Deploy this Pulumi program by running pulumi up in the directory where the program is saved. Pulumi will ask for confirmation before creating these resources in your Kubernetes cluster. After deployment, you can use kubectl to inspect the state of the new CiliumNetworkPolicy and see its effects on the traffic flow in your cluster.