When Kubernetes Met NSX-T: Container Networking with NCP CNI
Integrating Kubernetes container networking with enterprise virtual underlays using the NSX Container Plugin (NCP).
βDevelopers expected Kubernetes pods to spin up in milliseconds. Network engineers required every pod to have explicit firewall policies. NCP bridged that gap.β
At NTT Data, we integrated Kubernetes clusters into enterprise data center networks using the NSX Container Plugin (NCP CNI).
Pod-Level Microsegmentation
Standard Kubernetes CNI plugins (e.g. Flannel) create flat pod networks without native isolation.
NCP dynamically provisions an NSX-T Segment per Kubernetes Namespace and instantiates Distributed Firewall (DFW) rules automatically whenever a Kubernetes NetworkPolicy manifest is deployed.
[!IMPORTANT] NCP translates Kubernetes
NetworkPolicycustom resources directly into hardware/hypervisor-enforced NSX-T DFW rules.
# # Kubernetes NetworkPolicy Manifest Translated by NCP
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-db-access
namespace: production
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
The Verdict
Key Takeaway
Extend Enterprise Security Policy to Container Pods.
Integrating Kubernetes with NSX-T NCP ensures containerized workloads receive native enterprise microsegmentation, IP visibility, and firewall enforcement automatically.
Sachin Kumar Sharma
Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp
Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.