Weave-NPC: Container firewalls in Go

Weave Network Policy Controller is an implementation of the Kubernetes Network Policy. Read on to learn about container firewalls in Go.

I had the pleasure of being a guest speaker at the March Go London User Group on the topic of container firewalls in Go.

The overarching idea is to prevent unwanted —accidental or malicious— contact between components, in our case containers, that should not be talking. Go is now a popular choice for network and protocol handling code.

Kubernetes Network Policy

Kubernetes supports an API for network policies that provides a sophisticated model for isolating applications and reducing their attack surface. However, it has been left up to third parties to implement these network policies. Weaveworks’ Network Policy Controller (weave-npc) is an implementation of the Kubernetes Network Policy, which specifies allowed connections within a Kubernetes cluster. The code is all written in Go, and available on GitHub under Apache Licence.

Check out the video to see my full presentation.  I show you how Weave-npc is implemented, illustrating the Go APIs to read Kubernetes network policies, to create Linux netfilter rules, and to control Linux network interfaces.

Weave Net

Download Weave Net to try it yourself. It is easy to use and integrates with all cloud platforms. Get started.

Thank you for reading our blog. We build Weave Cloud, which is a hosted add-on to your clusters. It helps you iterate faster on microservices with continuous delivery, visualization & debugging, and Prometheus monitoring to improve observability.

Try it out, join our online user group for free talks & trainings, and come and hang out with us on Slack.