Network Isolation
Kupe Cloud enforces network-level isolation on all managed clusters. Your workloads can reach the internet but cannot access platform infrastructure or other tenants’ clusters.
What your workloads can reach
Section titled “What your workloads can reach”| Destination | Allowed | Notes |
|---|---|---|
| Public internet | Yes | Any external IP or hostname |
| DNS | Yes | Cluster DNS resolves normally |
| Same-cluster pods | Yes | Pod-to-pod within your cluster works |
| Other tenants’ clusters | No | Blocked by network policy |
| Platform services | No | Blocked (monitoring, auth, secrets) |
| Cluster nodes | No | Blocked (kubelet, etcd, API server) |
How it works
Section titled “How it works”Managed clusters apply network policies that:
- Allow DNS — your pods can resolve hostnames normally
- Allow same-cluster traffic — pods within your cluster communicate freely
- Allow internet egress — outbound to any public IP
- Block internal ranges — RFC 1918 private ranges (10.x, 172.16.x, 192.168.x) are blocked
This ensures your workloads operate normally while preventing access to infrastructure that belongs to the platform or other tenants.
Cluster API access
Section titled “Cluster API access”Your cluster’s Kubernetes API is accessible via a public endpoint:
https://<cluster>.<tenant>.kupe.cloudThis endpoint uses TLS passthrough with OIDC authentication — the same security model used by managed Kubernetes providers like EKS, GKE, and ASK. No VPN required.
What about ingress?
Section titled “What about ingress?”Inbound traffic to your workloads flows through the shared Gateway API infrastructure. Create HTTPRoutes to expose your services — the platform handles TLS termination and routing.
Your pods receive traffic from the gateway proxy only. Direct inbound connections from the internet to pod IPs are not possible.
Related pages
Section titled “Related pages”- Cluster Policies — admission-time enforcement
- Container Security — pod security requirements
- HTTP Routes — exposing services externally