New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Block new incoming connections to seed cluster from vpn tunnel #874
Block new incoming connections to seed cluster from vpn tunnel #874
Conversation
4f58f12
to
2044d50
Compare
|
Can you elaborate what exactly happens here? What is blocked, etc.? |
|
Do we really want to block all traffic to the API server? There are things that needs to talk to the API server still e.g., Kube-proxy, kubelet, ...etc |
charts/seed-controlplane/charts/kube-apiserver/templates/kube-apiserver.yaml
Outdated
Show resolved
Hide resolved
charts/seed-monitoring/charts/prometheus/templates/prometheus.yaml
Outdated
Show resolved
Hide resolved
2044d50
to
f2e3ebb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You have to add alpine to list of injected images during deployment, e.g. https://github.com/gardener/gardener/blob/master/pkg/operation/hybridbotanist/controlplane.go#L379 for kube-apiserver (similar for prometheus).
f2e3ebb
to
97896f4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
What this PR does / why we need it:
Set iptable rule to block new incoming connections from shoot cluster but allow icmp connections.
Which issue(s) this PR fixes:
Fixes: gardener/vpn#40
Special notes for your reviewer:
The important traffic is going through the public endpoint, so not affected by this PR.
Release note: