[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ingress firewall



On 12/14/2016 01:03 PM, Srinivas Naga Kotaru (skotaru) wrote:
> Does ingress support firewall? We have a use case where tenant have
> multiple projects for services segmentation purpose and need ports other
> 80/433. We are planning to use ingress and egress features to allocated
> pool of IP address to use. Client has strict requirements of controlling
> inbound and outbound traffic, like who can allow or deny.
> 
> As per below documentation egress support firewall. Does ingress also
> support similar?

Upstream Kubernetes has a NetworkPolicy object that can be used to
control ingress traffic, but it's not supported by the default OpenShift
networking plugin in 3.4. (Some third-party plugins support it, and it
should be supported by OpenShift's networking plugin in 3.5.) However,
the current version of NetworkPolicy is focused more on pod-to-pod
traffic and doesn't have support for filtering ingress by IP, and it's
not clear when it will.

> Any ideas how to control ingress control? We are thinking to use
> iptables but that seems be dirty or not sure whether even possible.

iptables wouldn't be able to implement per-project rules, but if you
don't mind having the same restrictions for all pods, then it would work
fine.

-- Dan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]