-
Notifications
You must be signed in to change notification settings - Fork 227
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add in missing ACLs for windows multitenancy #2617
Conversation
7182535
to
e7122c9
Compare
e7122c9
to
5655bf8
Compare
The reason I say this breaks QxBytes, is if a customer/partner team were to use Kubernetes with this conflist, the pods would not be able to resolve DNS, which is done through wireserver So I suggest here we add this back in, at least for testing, and maybe even back to the prod one too, because I don't see why we need to block Wireserver IP |
@tamilmani1989 also to comment on this |
5655bf8
to
d1e8e8c
Compare
2bfcc84
to
9b74eb0
Compare
Validated both that outbound traffic to wireserver 80 is blocked within the pod and wireserver via pod's apipia endpoint also is blocked while seeing blocked packets increase by +1 each time |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Paul and I confirmed that invoking a request to google.com from within the container is successful with these two added ACL rules. DNS functionality with nslookup within the container was also confirmed and successful. We also validated that the wireserver traffic is blocked via both apipa and the container's eth0 by checking the vfp rules and seeing the dropped packet counter increase when a request is issued.
/azp run |
Azure Pipelines successfully started running 2 pipeline(s). |
In #2515 , an ACL was introduced to block port 80 of Wireserver
However, this also breaks all connectivity of a Windows multitenany pod
Adding in missing ACLs to fix this
Pings work just fine now with this fix: