[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Openshift SDN considerations



Boris,

Regarding question one, this would be solved by using a route that is exposed by said authentication service. This prevents the need for having to join the various projects together. Only services between namespaces are locked down. The exposed route will still be available to any and all pods from whichever project.

Regarding question two, It sounds as if you need some sort of IDS or manipulation of iptables/firewalld rules on the openshift nodes. Though that can be difficult to manage and what I’d end up doing is probably putting all the openshift nodes on a separate network, such that I can put a firewall device between the openshift nodes and the rest of the network.



-- 
John Skarbek

On August 30, 2016 at 15:42:50, Boris Kodel (boris kodel gmail com) wrote:

Hello,
I am working in strict security environment in which we use a firewall to limit the traffic between all of our servers. e.g application server 'A' can only access DB server 'B' via port 1521 and cannot access app 'C' nor database 'D' at any port.

Since by default openshift can schedule any pod on any host (and we wish to keep it that way) we have a difficulty complying with the organizational network security model.

We considered using the ovs-multitenant plug-in but still we have a couple of issues:
  1. Limiting traffic inside openshift - if two projects need to communicate with each other we ought to merge their networks. But if we have some central service (like an authentication service) we will need to merge all of the network together thus diminishing the network isolation.
  2. Limiting outbound traffic - If one of our projects needs access to some external service we must allow all of the openshift hosts to access it. So we wish to limit or at least monitor that only this particular project's pods access this service. [In general some tool that show network connections between the internal and the external networks would be most helpful.]
Did someone else ever tackled this issues? I guess that most financial/government organizations have some variation as we do.

Cheers,
Boris K.
_______________________________________________
users mailing list
users lists openshift redhat com
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=DQICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=7uJd1nape9MBiQK60LsEZD40c4JZrbuCeAgGZ-XHUuY&s=niWSMaBOJrPaH6RG-P4JdDmZcWChHPgKwp-4OQHIXJY&e=


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]