New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Isolate etcd using Network Policies #631
Comments
Yes, ideally we get network policies that define fine-grained rules to only allow those components to talk to each other that really need to (not only etcd). @wyb1 started working on defining network policies for Prometheus, but I suggest that someone takes the time to investigate who needs to talk to whom and then - carefully and with an extended amount of tests - designs the network policies. |
@adracus interested in this one? |
Following up from the email conversation where I reported the issue first. |
We currently only isolate the kube-apiserver as it is the only entrypoint into the seeds. Isolating the other components is definitely planned and desired, but not that critical, as nobody can directly talk to them. |
@rfranzke I guess providing a block is very difficult with our current network policies. I think we rather require a bigger rework there, but as you also said, the priority right now is not high for this. |
closed for the more general issue #873 |
etcd shall be isolated using the following policies:
(2) above might interfere with the backup infrastructure and might need further investigation.
The text was updated successfully, but these errors were encountered: