← Back to Engineering Blog
πŸ—“οΈ Apr 12, 2022 ⏱️ 2 min read

Translating Kubernetes NetworkPolicies to NSX-T Distributed Firewall Rules

How deploying NSX-T Container Plugin (NCP CNI) automatically translated Kubernetes YAML NetworkPolicies into hypervisor-level Distributed Firewall rules.

πŸŽ™οΈ Listen to Article READY
AI Audio Synthesis Narrator
Share Post:

β€œRunning Kubernetes inside virtual machines creates a security blind spot if pod traffic is unmonitored by the hypervisor. NCP CNI enforces pod-level microsegmentation at the ESXi kernel level.”

While integrating enterprise Kubernetes clusters into VMware SDDCs at NTT Data, security compliance required enforcing microsegmentation between individual Kubernetes pod namespaces.


Architecture: NSX Container Plugin (NCP CNI) Translation

We deployed NSX Container Plugin (NCP) as the primary CNI plugin for Kubernetes.

  • Automated DFW Translation: Whenever a developer applies a standard Kubernetes NetworkPolicy YAML object, NCP translates the policy into native NSX-T Distributed Firewall (DFW) rules.
  • Kernel-Level Enforcement: Traffic filtering occurs inside the ESXi hypervisor kernel (vnic-tx/rx), preventing compromised pods from bypassing CNI controls even if root access is breached within the container.

[!IMPORTANT] Ensure NSX-T Control Cluster connectivity is redundant to prevent CNI synchronization delays when scaling Kubernetes worker nodes.

# # Kubernetes NetworkPolicy Automatically Synced to NSX-T DFW
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-db-access
  namespace: production
spec:
  podSelector:
    matchLabels:
      role: db
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 5432

The Verdict

Key Takeaway

Enforce Kubernetes Pod Microsegmentation at the Hypervisor Layer using NCP CNI.

Integrating NCP CNI with NSX-T DFW delivers seamless policy synchronization between container native NetworkPolicies and enterprise virtual firewall rules.

SKS

Sachin Kumar Sharma

Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp

Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.