You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For security resons it would be great to integrate network policies to limit network connections only between allowed services.
Let's see an example:
let's assume we have an application composed of
a front-end web application (ex. Nuxt.js or Nodejs server with Express) that will give a web representation of the data fetched by the back-end API
a back-end API (ex. a Go application) that will read and interact with the data
a local Redis service
a shared Mysql service (shared between different projects as Mysql scales better if you have one global instance instead of multiple separated ones)
Now the front-end App should be contacted only by the ingress and can only contact the back-end API.
The back-end API should be contacted only by the front-end App but can connect to the local Redis and shared Mysql instances.
The shared Mysql instances may be contacted by multiple services in various projects while the other services are only available inside the pipeline/stage and cannot be accessed anywhere else (except from the web ingress).
Creating egress/ingress rules allows limiting access from ingoing and outgoing traffic where not allowed; let's say for example that the front-end web application get compromised:
in a normal kubernete system the attacker may try to reach other services in the cluster (ex: a not so well secured internal services that may contain critical data, only secured by "not opening any port to the public" ); by applying those rules the attacher may only reach the back-end API and cannot reach in any way non essential services.
To convert this into an UI/UX feature i propose to block by default (maybe adding also a checkbox to disable this feature?) all the traffic that is not "linked" to the service as an add-on or as a "linked service" from another pipeline (in this example the global Mysql service, other services may include Mail services, etc.).
The text was updated successfully, but these errors were encountered:
For security resons it would be great to integrate network policies to limit network connections only between allowed services.
Let's see an example:
let's assume we have an application composed of
Now the front-end App should be contacted only by the ingress and can only contact the back-end API.
The back-end API should be contacted only by the front-end App but can connect to the local Redis and shared Mysql instances.
The shared Mysql instances may be contacted by multiple services in various projects while the other services are only available inside the pipeline/stage and cannot be accessed anywhere else (except from the web ingress).
Creating egress/ingress rules allows limiting access from ingoing and outgoing traffic where not allowed; let's say for example that the front-end web application get compromised:
in a normal kubernete system the attacker may try to reach other services in the cluster (ex: a not so well secured internal services that may contain critical data, only secured by "not opening any port to the public" ); by applying those rules the attacher may only reach the back-end API and cannot reach in any way non essential services.
To convert this into an UI/UX feature i propose to block by default (maybe adding also a checkbox to disable this feature?) all the traffic that is not "linked" to the service as an add-on or as a "linked service" from another pipeline (in this example the global Mysql service, other services may include Mail services, etc.).
The text was updated successfully, but these errors were encountered: