Regarding question one, this would be solved by using a route that is exposed by said authentication service. This prevents the need for having to join the various projects together. Only services between namespaces are locked down. The exposed route will still be available to any and all pods from whichever project.
Regarding question two, It sounds as if you need some sort of IDS or manipulation of iptables/firewalld rules on the openshift nodes. Though that can be difficult to manage and what I’d end up doing is probably putting all the openshift nodes on a separate network, such that I can put a firewall device between the openshift nodes and the rest of the network.
On August 30, 2016 at 15:42:50, Boris Kodel (boris kodel gmail com) wrote:______________________________Boris K.Cheers,Hello,
I am working in strict security environment in which we use a firewall to limit the traffic between all of our servers. e.g application server 'A' can only access DB server 'B' via port 1521 and cannot access app 'C' nor database 'D' at any port.
Since by default openshift can schedule any pod on any host (and we wish to keep it that way) we have a difficulty complying with the organizational network security model.
We considered using the ovs-multitenant plug-in but still we have a couple of issues:
Did someone else ever tackled this issues? I guess that most financial/government organizations have some variation as we do.
- Limiting traffic inside openshift - if two projects need to communicate with each other we ought to merge their networks. But if we have some central service (like an authentication service) we will need to merge all of the network together thus diminishing the network isolation.
- Limiting outbound traffic - If one of our projects needs access to some external service we must allow all of the openshift hosts to access it. So we wish to limit or at least monitor that only this particular project's pods access this service. [In general some tool that show network connections between the internal and the external networks would be most helpful.]
users mailing list
users lists openshift redhat
com/v2/url?u=http-3A__lists. openshift.redhat.com_ openshiftmm_listinfo_users&d= DQICAg&c=_ hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxf kkNxQuL0p-Z0&r= 8IlWeJZqFtf8Tvx1PDV9NsLfM_ M0oNfzEXXNp-tpx74&m= 7uJd1nape9MBiQK60LsEZD40c4JZrb uCeAgGZ-XHUuY&s= niWSMaBOJrPaH6RG- P4JdDmZcWChHPgKwp-4OQHIXJY&e=