Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configurable networking filter for ingress traffic (geo-blocking) [EPIC] #136

Open
pbochynski opened this issue May 23, 2023 · 14 comments
Open
Labels
area/control-plane Related to all activities around Kyma Control Plane Epic

Comments

@pbochynski
Copy link
Contributor

pbochynski commented May 23, 2023

Description
Add the possibility to enable ingress filtering in Kyma Runtime that utilizes shoot-networking-filter. The filter allows blocking certain IP addresses or even regions (geo-blocking). The filter should be applied only when explicitly configured by the user (suggestion: Kyma Runtime service instance parameter).

Reasons
Kyma runtime utilizes shoot-networking-filter from Gardener. The default setup enabled only the egress filter. Applications running on Kyma that use external authentication services (like SAP IAS or XSUAA) comply with geo-blocking regulations out of the box. Those external services not only block access from embargoed countries but also permanently block user accounts. But there are some use cases where applications hosted in Kyma Runtime are accessed by service accounts (system-to-system communication) and in that case geo-blocking has to be enabled in the Kyma cluster.
Be aware that the ingress filter should not be enabled if the application is accessed by end users directly as the blackholing will block redirect to IAS/XSUAA and the user activity in the embargoed country cannot be tracked.
That's why the incoming filter should be enabled by the Kyma Runtime customer on demand as a conscious decision if the application exposes API accessible by other systems only.

Attachments

@PK85
Copy link

PK85 commented Jun 1, 2023

Just information. The KEB already supports enabling Gardener Enterprise Policy Filter (egress filtering) for internal GAs.
Provisioner API has:

input.GardenerConfig.ShootNetworkingFilterDisabled

KEB code

@kyma-bot
Copy link
Contributor

This issue or PR has been automatically marked as stale due to the lack of recent activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Close this issue or PR with /close

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale

@kyma-bot kyma-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 20, 2023
@kyma-bot
Copy link
Contributor

This issue or PR has been automatically closed due to the lack of activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

@kyma-bot
Copy link
Contributor

@kyma-bot: Closing this issue.

In response to this:

This issue or PR has been automatically closed due to the lack of activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pbochynski pbochynski reopened this Aug 28, 2023
@pbochynski pbochynski removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 28, 2023
@kyma-bot
Copy link
Contributor

This issue or PR has been automatically marked as stale due to the lack of recent activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Close this issue or PR with /close

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale

@kyma-bot kyma-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 27, 2023
@kyma-bot
Copy link
Contributor

kyma-bot commented Nov 3, 2023

This issue or PR has been automatically closed due to the lack of activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

@kyma-bot kyma-bot closed this as completed Nov 3, 2023
@kyma-bot
Copy link
Contributor

kyma-bot commented Nov 3, 2023

@kyma-bot: Closing this issue.

In response to this:

This issue or PR has been automatically closed due to the lack of activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@TorstenD-SAP TorstenD-SAP reopened this Nov 3, 2023
@kyma-bot
Copy link
Contributor

This issue or PR has been automatically closed due to the lack of activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

@kyma-bot
Copy link
Contributor

@kyma-bot: Closing this issue.

In response to this:

This issue or PR has been automatically closed due to the lack of activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@TorstenD-SAP TorstenD-SAP removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 10, 2023
@TorstenD-SAP TorstenD-SAP reopened this Nov 10, 2023
@kyma-bot
Copy link
Contributor

kyma-bot commented Jan 9, 2024

This issue or PR has been automatically marked as stale due to the lack of recent activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Close this issue or PR with /close

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale

@kyma-bot kyma-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 9, 2024
@kyma-bot
Copy link
Contributor

This issue or PR has been automatically closed due to the lack of activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

@kyma-bot
Copy link
Contributor

@kyma-bot: Closing this issue.

In response to this:

This issue or PR has been automatically closed due to the lack of activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pbochynski pbochynski removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 16, 2024
@pbochynski pbochynski reopened this Jan 16, 2024
@TorstenD-SAP TorstenD-SAP added the area/api-gateway Issues or PRs related to api-gateway label Jan 17, 2024
@pbochynski pbochynski removed the area/api-gateway Issues or PRs related to api-gateway label Jan 19, 2024
@tobiscr tobiscr changed the title Configurable networking filter for ingress traffic (geo-blocking) Configurable networking filter for ingress traffic (geo-blocking) [EPCI] Jan 19, 2024
@tobiscr tobiscr changed the title Configurable networking filter for ingress traffic (geo-blocking) [EPCI] Configurable networking filter for ingress traffic (geo-blocking) [EPIC] Jan 19, 2024
@tobiscr tobiscr transferred this issue from kyma-project/kyma Jan 29, 2024
@tobiscr tobiscr added the area/control-plane Related to all activities around Kyma Control Plane label Jun 27, 2024
@tobiscr
Copy link
Contributor

tobiscr commented Dec 19, 2024

It's also possible to limit the ingress filtering for worker-groups: https://github.com/gardener/gardener-extension-shoot-networking-filter/blob/master/docs/usage/shoot-networking-filter.md#ingress-filt[…]worker-group (thanks to @a-thaler for pointing out that it's worth to consider it as part of the feature)

@tobiscr
Copy link
Contributor

tobiscr commented Jan 31, 2025

@pbochynski - we need your input, please:


Q1: Support for ingress-filtering is not available on CCEE and on AWS only when services include a particular label (see docs).

This could be covered by documentation, but it's a bit inconvenient for customers. Is this ok?


Q2: Do we want to support filtering-rules per worker-pool? Our proposal is to start the MVP with fitering-rules which are used for the whole cluster.

Is this acceptable?


Q3: We could think of moving the configuration to SKR side (customers can configure it in a CRD on SKR and KIM collects it from there, we need this feature for #135 anyway, see our task for POC for configurations on SKR-side).

What is your preference - configuration in KEB or on SKR side?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/control-plane Related to all activities around Kyma Control Plane Epic
Projects
None yet
Development

No branches or pull requests

5 participants