Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block new incoming connections to seed cluster from vpn tunnel #874

Merged
merged 1 commit into from Mar 28, 2019

Conversation

DockToFuture
Copy link
Member

@DockToFuture DockToFuture commented Mar 27, 2019

What this PR does / why we need it:
Set iptable rule to block new incoming connections from shoot cluster but allow icmp connections.

Which issue(s) this PR fixes:
Fixes: gardener/vpn#40

Special notes for your reviewer:
The important traffic is going through the public endpoint, so not affected by this PR.

Release note:

Traffic from shoot to seed via the VPN endpoint is now blocked.

@DockToFuture DockToFuture requested a review from a team as a code owner March 27, 2019 15:35
@rfranzke
Copy link
Member

Can you elaborate what exactly happens here? What is blocked, etc.?

@rfranzke rfranzke added kind/enhancement Enhancement, improvement, extension status/under-investigation area/security Security related size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. platform/all area/networking Networking related topology/seed Affects Seed clusters labels Mar 27, 2019
@zanetworker
Copy link
Contributor

Do we really want to block all traffic to the API server? There are things that needs to talk to the API server still e.g., Kube-proxy, kubelet, ...etc

Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You have to add alpine to list of injected images during deployment, e.g. https://github.com/gardener/gardener/blob/master/pkg/operation/hybridbotanist/controlplane.go#L379 for kube-apiserver (similar for prometheus).

Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Copy link
Contributor

@zanetworker zanetworker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/networking Networking related area/security Security related kind/enhancement Enhancement, improvement, extension platform/all size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. topology/seed Affects Seed clusters
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add firewall rules to vpn-seed pod
4 participants