Regarding question one, this would be solved by using a route that is exposed by said authentication service. This prevents the need for having to join the various projects together. Only services between namespaces are locked down. The exposed route will still be available to any and all pods from whichever project.
Regarding question two, It sounds as if you need some sort of IDS or manipulation of iptables/firewalld rules on the openshift nodes. Though that can be difficult to manage and what I’d end up doing is probably putting all the openshift nodes on a separate network, such that I can put a firewall device between the openshift nodes and the rest of the network.
On August 30, 2016 at 15:42:50, Boris Kodel (boris kodel gmail com) wrote: