otomi-core icon indicating copy to clipboard operation
otomi-core copied to clipboard

Published 20 hours ago verified publisher icon redkubes

Egress network policies for platform applications

Open j-zimnowoda opened this issue 2 years ago • 1 comments

Is your feature request related to a problem? Please describe.

Most of the platform application does not need to initiate connection with endpoints outside the cluster. A simple allow egress in cluster rule could significantly improve network security, making traffic unable to leave the cluster.

The cluster LoadBalancerIP shall be whitelisted, so application still can leverage platform public urls. Moreover it should be possible to define public IP addresses per platform app.

Describe the solution you'd like A clear and concise description of what you want to happen.

Each platform application/namespace shall have corresponding network policy rule that allows egress only inside the cluster.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-in-cluster
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector: {}

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

j-zimnowoda avatar Mar 14 '22 10:03 j-zimnowoda

Can we please stick to scrum instead of using templates for the public @j-zimnowoda ?

Morriz avatar Mar 23 '22 13:03 Morriz