I am working in strict security environment in which we use a firewall to limit the traffic between all of our servers. e.g application server 'A' can only access DB server 'B' via port 1521 and cannot access app 'C' nor database 'D' at any port.
Since by default openshift can schedule any pod on any host (and we wish to keep it that way) we have a difficulty complying with the organizational network security model.
We considered using the ovs-multitenant plug-in but still we have a couple of issues:
- Limiting traffic inside openshift - if two projects need to communicate with each other we ought to merge their networks. But if we have some central service (like an authentication service) we will need to merge all of the network together thus diminishing the network isolation.
- Limiting outbound traffic - If one of our projects needs access to some external service we must allow all of the openshift hosts to access it. So we wish to limit or at least monitor that only this particular project's pods access this service. [In general some tool that show network connections between the internal and the external networks would be most helpful.]
Did someone else ever tackled this issues? I guess that most financial/government organizations have some variation as we do.