Details
-
New Feature
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
None
-
None
Description
Needed to allow clusters to be locked down but access the services they need to.
Ingress rules can be overridden per service.
We need a similar mechanism per component for egress, that specifies what external endpoints it is permitted to connect to.
e.g. in a default deployed system with network policies enforced, a query running (on hthor, thor or roxie), will not be able to connect with a 3rd party service, e.g. an LDAP service or log stack.
Currently, we [unintentionally] allow any pod that happens to have been given kube API access, that doesn't specifically have its own pod selected networkpolicy, to access any external endpoint.
[ NB: thor components do have their own network policies. ]
Because we generate "default-deny-all-but-dns" which prevents all but DNS,
however, we also generate "allow-apiserver" (also with no pod-selector), which by default is:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-apiserver
spec:
policyTypes:
- Egress
podSelector: {}
egress:
- to:
ports:
- protocol: TCP
If global.egress.kubeApiCidr and global.egress.kubeApiPort were filled in, then it would egress enforce access to only the kubectl API cidr as intended, but without those set, it allows any pod (without another more restrictive network policy) to egress to any endpoint.
Add a mechanism similar to the visibilities definitions, which allows named egress sections, which can then be referenced per component.
e.g.:
global:
egress:
engineEgress:
- to:
- ipBlock:
cidr: 201.13.21.0/24
- ipBlock:
cidr: 142.250.187.0/24
ports:
- protocol: TCP
port: 6789
- protocol: TCP
port: 7890
...
thor:
...
egress: engineEgress
Attachments
Issue Links
- relates to
-
HPCC-28543 Fix helm chart regression (spotted by linting)
-
- Resolved
-
-
-
- Resolved
-
