Support for setting rules to specific routes/namespaces?
Closed this issue · 11 comments
Hello!
Is there something planned for implementing firewall rules to specific routes/namespaces?
We have the following use case: we have an application that is running on OCP and that we want to expose to our DMZ.
We want to do this using a route and without relying on any reverse proxy. Our OCP cluster is currently firewalled from our DMZ
and if we remove the firewall rule, it would mean that everything in the DMZ would then have access to all exposed services in OCP, which is not ideal.
Our plan is then to implement something of this sort:
- have a global hardened config inside OpenShift that blocks all requests from the DMZ
- only allow access to specific namespaces/routes if required
Would this be possible? If not, how can this be implemented otherwise?
All the best!
Hi @msherif1234 and thank you for the fast response. Network policies would cover our use case, but from what I know, network policies are only configured per-namespace and there is no such thing as a global network policy that will enable us to create such a deny-all rule.
I believe this where ANP "Admin Network Policy" will try to achieve which is coming in OCP 4.14 release cc'd @tssurya pls confirm
I will close this issue because its outside node firewall scope
/assign @msherif1234
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale
I believe this where ANP "Admin Network Policy" will try to achieve which is coming in OCP 4.14 release cc'd @tssurya pls confirm
yeah ANP will/should do this.
Currently the version coming out in 4.16 OCP release will allow you to block egress from pods to DMZ, if you want to block ingress from outside (DMZ) to the pods inside the cluster, then please comment your use case: https://github.com/kubernetes-sigs/network-policy-api/pull/128/files#r1317640306 because ironically we are actually looking for real use cases where we want to support policy rules for southbound traffic, so far nobody approached us since mostly pods are never accessible directly.
checkout https://network-policy-api.sigs.k8s.io/, https://www.redhat.com/en/blog/using-adminnetworkpolicy-api-to-secure-openshift-cluster-networking for understanding more about ANP
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.
/close
@openshift-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting
/reopen.
Mark the issue as fresh by commenting/remove-lifecycle rotten.
Exclude this issue from closing again by commenting/lifecycle frozen./close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.