[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpensShift SDN



Thanks Dan and Brenton 

That is good piece of info. However while doing further drill out the issue, it seems having a single cluster  per data center spanning internal and external nodes seems to have some security issues due to shared routers

Routers need to be shared or accessible to both internal and external nodes. If we put routers in

1. External Subnet : We need to open ports from routers to internal network for 80 and 443. Any compromise on external application has direct access to internal applications.

2. Interna Network : More security risk. Any external traffic has to come to internal router network and connect external application. Security is compromised at internal layer and big hole

3. Dedicated Subnet for Routers : This is similar to Option 1. We need to open ports from this dedicated subnet to internal and external nodes for router communication. If any external application compromised, attacker has direct access to internal network or application due to shared subnet. 


-- 
Srinivas Kotaru






On 1/15/16, 6:40 AM, "Brenton Leanhardt" <bleanhar redhat com> wrote:

>On Fri, Jan 15, 2016 at 9:35 AM, Dan Winship <danw redhat com> wrote:
>> On 01/14/2016 05:54 PM, Srinivas Naga Kotaru (skotaru) wrote:
>>> Dan
>>>
>>> One question
>>>
>>> Masters also using same port for VXLAN communication with nodes
>>> right? If we block the port from internal and external subnets
>>> but if we put masters in internal network, they won’t be abel to
>>> talk to external nodes or vise verse right?
>>
>> The VXLAN is only used for communication with *pods*. So in that
>> situation, the master wouldn't directly be able to reach pods on
>> external nodes, but that may or may not be a problem. (There is some
>> reason that we make the master also be a node by default, which has
>> something to do with some tool which wants to have access to the pods,
>> but I don't remember what that is.)
>
>If the Master's can't reach Pods then the Web Console integration with
>java Pods (via jolokia) won't work.
>
>>
>> Master<->Node communication (eg, to launch new pods, etc) happens by the
>> nodes connecting to port 8443 on the master, so wherever the master is,
>> both kinds of nodes need to be able to reach that port.
>>
>>> One solution could be put masters in another subnet and control
>>> access between master, internal and external subnets. Any other
>>> better approach without doing this?
>>
>> Sure. Or just have some firewall holes specific to the master.
>>
>> -- Dan
>>
>> _______________________________________________
>> dev mailing list
>> dev lists openshift redhat com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]