fix: add in missing ACLs for windows multitenancy #2617
Conversation
pjohnst5
force-pushed
the
paujohns/new-conflist
branch
from
7182535
to
e7122c9
Compare
pjohnst5
force-pushed
the
paujohns/new-conflist
branch
from
e7122c9
to
5655bf8
Compare
|
The reason I say this breaks QxBytes, is if a customer/partner team were to use Kubernetes with this conflist, the pods would not be able to resolve DNS, which is done through wireserver So I suggest here we add this back in, at least for testing, and maybe even back to the prod one too, because I don't see why we need to block Wireserver IP |
|
@tamilmani1989 also to comment on this |
pjohnst5
force-pushed
the
paujohns/new-conflist
branch
from
5655bf8
to
d1e8e8c
Compare
pjohnst5
changed the title
pjohnst5
force-pushed
the
paujohns/new-conflist
branch
from
2bfcc84
to
9b74eb0
Compare
|
Validated both that outbound traffic to wireserver 80 is blocked within the pod and wireserver via pod's apipia endpoint also is blocked while seeing blocked packets increase by +1 each time |
There was a problem hiding this comment.
Paul and I confirmed that invoking a request to google.com from within the container is successful with these two added ACL rules. DNS functionality with nslookup within the container was also confirmed and successful. We also validated that the wireserver traffic is blocked via both apipa and the container's eth0 by checking the vfp rules and seeing the dropped packet counter increase when a request is issued.
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
In #2515 , an ACL was introduced to block port 80 of Wireserver
However, this also breaks all connectivity of a Windows multitenany pod
Adding in missing ACLs to fix this
Pings work just fine now with this fix: