Segmenting AI Workload Traffic with CiliumNetworkPolicy

Question

Pulumi · Accepted Answer

Segmenting network traffic in a Kubernetes cluster using `CiliumNetworkPolicy` is an important aspect of cloud infrastructure security and compliance, especially when dealing with sensitive AI workloads. Segmentation provides control over how different parts of your application communicate with each other and access external resources. This is crucial when you have AI applications that need to separate sensitive data from the rest of the network.

To implement network segmentation in Kubernetes with Cilium, we use `CiliumNetworkPolicy`, which is a more powerful and flexible way to define security policies than the standard `NetworkPolicy` offered by Kubernetes. `CiliumNetworkPolicy` can enforce both L3/L4 (IP/Port) and L7 (Application-aware) policies, and it works by leveraging the eBPF technology in the Linux kernel, allowing for high-performance traffic filtering.

Below, you'll find a Pulumi program written in Python that illustrates how to define a `CiliumNetworkPolicy` for segmenting AI workload traffic. The code will include comments to guide you through what each section does.

Before we dive into the program, make sure you have the following prerequisites in place:

1. Ensure you have Pulumi installed and configured to work with your preferred cloud provider (the specific instructions may vary by provider and are beyond the scope of this guide).
2. Make sure you have access to a Kubernetes cluster where you have rights to create and manage resources, and that the cluster has Cilium installed as the CNI (Container Network Interface).
3. Ensure that `kubectl` is configured to communicate with your Kubernetes cluster.

Now, let's start writing the program.

```python
import pulumi
import pulumi_kubernetes as k8s

# Define the CiliumNetworkPolicy which will segment AI workload traffic.
# This policy will allow egress traffic only to a specific CIDR range
# (assuming your AI workloads need to communicate with a specific set of IPs),
# and will block all other egress traffic for pods with labels 'app: ai-workload'
cilium_network_policy_spec = {
    "egress": [{
        "toEndpoints": [{
            "matchLabels": {
                "k8s:io.kubernetes.pod.namespace": "ai-namespace"
            }
        }],
        "toCIDR": [
            "192.0.2.0/24"  # Replace with the actual CIDR you want to allow
        ]
    }],
    "endpointSelector": {
        "matchLabels": {
            "app": "ai-workload"  # Pods with this label will be affected by the policy
        }
    }
}

# Use Pulumi to create the CiliumNetworkPolicy resource.
# Replace 'my-ai-network-policy' with a suitable name for your policy,
# and 'ai-namespace' with the namespace where your AI workloads are running.
cilium_network_policy = k8s.CiliumNetworkPolicy(
    'my-ai-network-policy',
    metadata={
        "namespace": "ai-namespace"  # The namespace for the CiliumNetworkPolicy
    },
    spec=cilium_network_policy_spec
)

# Export the name of the network policy so you can easily identify it
# in the Kubernetes cluster after deployment by Pulumi.
pulumi.export('network_policy_name', cilium_network_policy.metadata['name'])
```

In this program:

- We define a `CiliumNetworkPolicy` object.
- In the `egress` section, we specify the CIDR range (`192.0.2.0/24` in the example) where the AI workloads are allowed to send traffic.
- In the `endpointSelector` section, we match the pods affected by this policy using the `app: ai-workload` label.
- We declare and export the `network_policy_name` so you can reference it outside Pulumi, notably to verify its creation and impact using `kubectl`.

This policy will enforce that only the selected AI workloads can communicate with the specific IP range, effectively segmenting their traffic. Remember, the actual implementation of the `CiliumNetworkPolicy` resource may depend on the version and configuration of Cilium installed on your cluster. Be sure to consult the Cilium [documentation](https://docs.cilium.io/en/stable/policy/intro/) if needed.

Deploy this Pulumi program by running `pulumi up` in the directory where the program is saved. Pulumi will ask for confirmation before creating these resources in your Kubernetes cluster. After deployment, you can use `kubectl` to inspect the state of the new `CiliumNetworkPolicy` and see its effects on the traffic flow in your cluster.