Is there any benefit of using Istio Policy AND GKE Network Policy?

102 views Asked by At

I've read a few sources that state that it is a good idea to use both Istio AND GKE Network Policy but it is not too clear what the benefits of doing so from a security perspective?

1

There are 1 answers

0
guillaume blaquiere On

Istio Policy and GKE Network Policy don't work at the same level.

  • GKE Network Policy enforces firewall rule at Pod level. It's a layer 3 policy
  • Istio Policy enforces rules on HTTP traffic (rate limit, allow/deny services (not IP, services!)

So, it could make sense to use both if all your traffic aren't managed by Istio (if you don't use only HTTPS protocol). If not, you will open the port 443 for all the pods, and it's clearly useless.