Text only | Text with Images

OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: keylooper on August 22, 2023, 06:42:44 AM

Title: Licensing options?
Post by: keylooper on August 22, 2023, 06:42:44 AM
I'm trying to understand what my licensing options are.  I installed ZenArmor, currently on the free edition.  I would like to buy a subscription but it seems my home is too big for a home license.  In my ZenArmor settings it shows I have 232 active devices.  So is my only option to buy a Business plan at $225 a month?  I do need to better understand what all my devices are (is it registering every container on my k8s cluster as a device?) but I'm certain I have over 100 devices so understanding what my options are would be good and there's no way I'm paying that for my home.  :)
Title: Re: Licensing options?
Post by: deuch on August 22, 2023, 04:27:15 PM
What kind of network driver (CNI) are you using with your k8s cluster ? Is it flannel or cilium or something else ?
Does your pods take an ip your VLAN/subnet ?
Title: Re: Licensing options?
Post by: sy on August 23, 2023, 03:42:07 PM
Hi,

Zenarmor has an Exempted VLAN / Network / IP option for the licensed users. You can exclude some items from inspection and they won't count for the licence as well.
Title: Re: Licensing options?
Post by: keylooper on August 24, 2023, 10:44:00 PM
Quote from: sy on August 23, 2023, 03:42:07 PM
Hi,

Zenarmor has an Exempted VLAN / Network / IP option for the licensed users. You can exclude some items from inspection and they won't count for the licence as well.

I saw that, but then I'm loosing out on the value ZanArmor brings, monitoring my network.  If I have to filter out more than half of it. 

Quote from: deuch on August 22, 2023, 04:27:15 PM
What kind of network driver (CNI) are you using with your k8s cluster ? Is it flannel or cilium or something else ?
Does your pods take an ip your VLAN/subnet ?

flannel, my pods have private ips (a subnet not on one of my vlan subnets) but the services all have an ip from one of my vlan subnets.
Title: Re: Licensing options?
Post by: deuch on August 24, 2023, 11:59:06 PM
How do you create your service ? With a ClusterIP or not ? Even with a nodePort it does not take any IP on your subnet.

In fact you can use a k8s cluster with full overlay network (pods and services) and only nodes have a ip of your subnet.

So normally, only your node IP will count for zenarmor licence and not the pods id or service. With ip tables or IPVS it's the case so i do not know how your cluster is configurer, or something with netmap see the overlay ip as a « real » one.
But if it's the case, choose 2 different subnet for pods and services during installation and set them as exempted network in zenamor. Can you try ?
Title: Re: Licensing options?
Post by: keylooper on August 25, 2023, 06:29:31 AM
services are using clusterIP, the pods use private non-routable IPs.  I've added the network of my pods to the exempt list.
Title: Re: Licensing options?
Post by: almodovaris on August 27, 2023, 10:17:28 AM
If you hide your pods behind a NAT and don't use IPv6, Zenarmor does not see them as different devices.
Text only | Text with Images