top of page
Search

NCI 7.5 Deep Dive – Part Four: FNS Next-Gen for Kubernetes

  • Writer: Naser Ebdah
    Naser Ebdah
  • 1 day ago
  • 2 min read

As Kubernetes adoption grows, securing containerized workloads becomes increasingly complex, especially in environments where Kubernetes and virtual machines coexist. Native Kubernetes network policies are cluster-scoped, IP-based, and separate from VM security controls. This forces teams to manage multiple security models and management planes, leading to policy fragmentation, operational overhead, and security gaps.


Flow Network Security (FNS) Next-Gen for Kubernetes addresses this challenge by extending microsegmentation to Kubernetes pods and services, delivering centralized, consistent security enforcement from Prism Central for both Kubernetes and virtual workloads.


What Is FNS Next-Gen for Kubernetes

Flow Network Security Next-Gen provides native microsegmentation for Kubernetes workloads, securing pods and services in a Kubernetes cluster in the same way VMs are secured in virtualized environments.

Key characteristics:

  • Secures Kubernetes pods and services

  • Delivers application-level microsegmentation

  • Policies are centrally defined in Prism Central

  • Supports securing containerized and virtual workloads from a single pane of glass

  • Uses Cilium-based Kubernetes native network policies for enforcement

Requirement: Kubernetes clusters must be created and managed using Nutanix Kubernetes Platform (NKP).


How FNS Next-Gen for Kubernetes Works

FNS Next-Gen introduces federated policy control between Prism Central and Kubernetes:

  1. Security administrators define policies in Prism Central using entity groups

  2. Kubernetes entities are grouped using:

    • Pod labels

    • Service names

    • Namespaces

  3. Flow Network Security policies are automatically translated into native Kubernetes network policy objects

  4. Cilium enforces these policies directly on Kubernetes worker nodes

  5. VM security policies integrate seamlessly, enabling:

    • Pod-to-pod control

    • VM-to-pod control

    • Consistent inbound and outbound enforcement

Policy enforcement happens in real time, without downtime.


First Release Scope and Capabilities

For the first release, FNS Next-Gen support for Kubernetes is intentionally scoped to core application-level security capabilities and policy enforcement for Kubernetes workloads using Cilium CNI only. The solution applies security policies to pods and services within NKP-managed clusters, with entity grouping confined to a single Kubernetes cluster and limited to one entity type per group, either Pod or Service. Deployments on Kubernetes clusters running on VPCs, Network Function integration with Kubernetes entities, and the inclusion of Kubernetes IP ranges in address groups are not yet available. In addition, features such as IPv6 support, policy hitlogs, and monitor mode are not included in this release.


Version and Licensing Requirements

  • AOS: 7.5

  • NKP: 2.15 or later

  • AHV: 11 or later

  • Cilium: 1.17.3 with Hubble relay enabled

  • Licensing: NCI Pro with Security Add-on or NCI Ultimate

 

Summary

Flow Network Security Next-Gen brings centralized, label-based microsegmentation to Kubernetes, eliminating the need for fragmented security models across VMs and containers. By translating Flow policies into native Kubernetes enforcement through Cilium, Nutanix delivers consistent security, simplified operations, and a single source of truth for network policy enforcement.

Disclaimer: All views expressed on this site are solely my own and do not represent the opinions or views of my employer, its affiliates or partners in any way. The information provided on this site is for general informational purposes only and should not be construed as professional advice or guidance. Any reliance you place on such information is therefore strictly at your own risk.

©2023 by CloudPros.

bottom of page