kubernetes-network-policy-recipes VS cluster-api

Further reading: Controlling Access to Kubernetes API What is TLS Configure Service Accounts Dynamic Admission Control Network Policy Recipes

See: https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/04-deny-traffic-from-other-namespaces.md for an example of what you are looking to do.

This is not great for multi-tenancy, but you can correct this with NetworkPolicies.

🔗 https://github.com/ahmetb/kubernetes-network-policy-recipes

I'd recommend using this collection of network policy recipes to test out these 2 tools and see how they can be helpful to your workflow.

Here's an example policy I've tried. https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/03-deny-all-non-whitelisted-traffic-in-the-namespace.md

The Network Policies recipes here: https://github.com/ahmetb/kubernetes-network-policy-recipes -- Do not under any circumstances overlook this goldmine of network policy examples. Super important.

Good to learn more in Kubernetes network policy for CKx exams and EKS. Below are resources: 1/ read official doc and try to understand them well - https://kubernetes.io/docs/concepts/services-networking/network-policies/ 2/ bookmark samples for exams and EKS setups - https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource 3/ do more practices at https://github.com/ahmetb/kubernetes-network-policy-recipes 4/ visualize (image below) and try more at https://editor.cilium.io/ - it allows you to save the final netpol in k8s netpol OR Cilium netpol (EKS-A is using Cilium !)

In this blog post, we will demonstrate how easy and fast it is to deploy Sveltos on an RKE2 cluster with the help of ArgoCD, register two RKE2 Cluster API (CAPI) clusters and create a ClusterProfile to deploy Prometheus and Grafana Helm charts down the managed CAPI clusters.

4. Having moved to a container orchestrator, all of my nodes are immutable. Hardware and VM instances _can_ be born magically into existence. Nearly all infra providers support [cluster-api](https://cluster-api.sigs.k8s.io/). Network infrastructure can now be managed with TF, so I go that route.

## Linux curl -L https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.4.4/clusterctl-linux-amd64 -o clusterctl sudo install -o root -g root -m 0755 clusterctl /usr/local/bin/clusterctl ## Mac brew install clusterctl

Did you ever try CAPI? https://github.com/kubernetes-sigs/cluster-api

You might find interesting the capi-rancher-import k8s operator we use in Sylva, it would adopt in Rancher server the Cluster API created k8s clusters (with bootstrap provider kubeadm or even rke2 - you can lookup CAPBR for the latter). I understand your clusters are not created by Cluster API, so if you could move the workloads/resources to new clusters created by Cluster API, this can come handy. (Adoption of non-CAPI clusters into CAPI is not yet a standard practice, more in https://github.com/kubernetes-sigs/cluster-api/issues/7776)

Most of the comments have mentioned older tools like kubespray, Ansible, Rancher etc. I would suggest the cloud native way using ClusterAPI or use a tool that relies on ClusterAPI in the backend called Talos

Cluster API

Sveltos is a powerful open source project that makes managing Kubernetes add-ons a breeze. It automatically discovers ClusterAPI powered clusters and allows you to easily register any other cluster (like GKE). Then, it seamlessly manages Kubernetes add-ons across all your clusters.