Brought to you by Tigera, the creator of Calico Open Source. Tigera also provides commercial solutions, Calico Cloud and Calico Enterprise, which build on Calico Open Source to provide additional security and observability capabilities for containers and Kubernetes.
Project Calico is an open-source project with an active development and user community. Calico Open Source was born out of this project and has grown to be the most widely adopted solution for container networking and security, powering 8M+ nodes daily across 166 countries.
Free and open source, Calico Open Source is designed to simplify, scale, and secure container and Kubernetes networks. Invented and maintained by Tigera.
Thanks, I'm looking to achieve completely isolated namespaces so that if someone gains access to a pod, they can only see pods within the same namespace. I've already tried implementing network policies, but they didn't provide sufficient isolation (with arp-scan I can see all IPs). Could you please share any additional suggestions or best practices for achieving this level of namespace isolation effectively? Thank you for your help!
If you head over to project calico's documentation website there are examples how to implement a default deny. You could also implement host endpoint policies to secure both namespace and non-namespaced resources within your cluster and establish full isolation.
Speaking broadly, generally as long as the control plane is reachable from the data plane it will work - however depending on the exact technologies bandwidth/latency/reliability considerations are important. Come and chat with us at slack.projectcalico.org/ if you have a particular case in mind!
