← Back to Engineering Blog
πŸ—“οΈ Feb 14, 2022 ⏱️ 1 min read

When Kubernetes Met NSX-T: Container Networking with NCP CNI

Integrating Kubernetes container networking with enterprise virtual underlays using the NSX Container Plugin (NCP).

πŸŽ™οΈ Listen to Article READY
AI Audio Synthesis Narrator
Share Post:

β€œDevelopers expected Kubernetes pods to spin up in milliseconds. Network engineers required every pod to have explicit firewall policies. NCP bridged that gap.”

At NTT Data, we integrated Kubernetes clusters into enterprise data center networks using the NSX Container Plugin (NCP CNI).


Pod-Level Microsegmentation

Standard Kubernetes CNI plugins (e.g. Flannel) create flat pod networks without native isolation.

NCP dynamically provisions an NSX-T Segment per Kubernetes Namespace and instantiates Distributed Firewall (DFW) rules automatically whenever a Kubernetes NetworkPolicy manifest is deployed.

[!IMPORTANT] NCP translates Kubernetes NetworkPolicy custom resources directly into hardware/hypervisor-enforced NSX-T DFW rules.

# # Kubernetes NetworkPolicy Manifest Translated by NCP
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-db-access
  namespace: production
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend

The Verdict

Key Takeaway

Extend Enterprise Security Policy to Container Pods.

Integrating Kubernetes with NSX-T NCP ensures containerized workloads receive native enterprise microsegmentation, IP visibility, and firewall enforcement automatically.

SKS

Sachin Kumar Sharma

Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp

Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.