[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ingress firewall



Thanks Dan. At this point we are not sure how to control ingress traffic. I knew pretty sure that we can provide Ingress IP address to that client services get external reachable IP and TCP ports. 

If this is not possible 3.4, can we except in 3.5? at least this gives us a window to talk to client and convince him to use ingress now and expect ingress firewall support in 3.5? 

Am thinkiing it is very important feature if want to extent the platform to all type of work loads rather just web apps.  No one interested just typical web work loads in container platform. Clients expecting freedom/choices/possibilities of IaaS layer in container platrorm without having any limitations. To achive this, network is very foundational and critical. 

-- 
Srinivas Kotaru

On 12/14/16, 10:48 AM, "Dan Winship" <danw redhat com> wrote:

    On 12/14/2016 01:03 PM, Srinivas Naga Kotaru (skotaru) wrote:
    > Does ingress support firewall? We have a use case where tenant have
    > multiple projects for services segmentation purpose and need ports other
    > 80/433. We are planning to use ingress and egress features to allocated
    > pool of IP address to use. Client has strict requirements of controlling
    > inbound and outbound traffic, like who can allow or deny.
    > 
    > As per below documentation egress support firewall. Does ingress also
    > support similar?
    
    Upstream Kubernetes has a NetworkPolicy object that can be used to
    control ingress traffic, but it's not supported by the default OpenShift
    networking plugin in 3.4. (Some third-party plugins support it, and it
    should be supported by OpenShift's networking plugin in 3.5.) However,
    the current version of NetworkPolicy is focused more on pod-to-pod
    traffic and doesn't have support for filtering ingress by IP, and it's
    not clear when it will.
    
    > Any ideas how to control ingress control? We are thinking to use
    > iptables but that seems be dirty or not sure whether even possible.
    
    iptables wouldn't be able to implement per-project rules, but if you
    don't mind having the same restrictions for all pods, then it would work
    fine.
    
    -- Dan
    
    



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]