-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configurable networking filter for ingress traffic (geo-blocking) [EPIC] #136
Comments
Just information. The KEB already supports enabling Gardener Enterprise Policy Filter (egress filtering) for internal GAs.
KEB code |
This issue or PR has been automatically marked as stale due to the lack of recent activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /lifecycle stale |
This issue or PR has been automatically closed due to the lack of activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /close |
@kyma-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This issue or PR has been automatically marked as stale due to the lack of recent activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /lifecycle stale |
This issue or PR has been automatically closed due to the lack of activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /close |
@kyma-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This issue or PR has been automatically closed due to the lack of activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /close |
@kyma-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This issue or PR has been automatically marked as stale due to the lack of recent activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /lifecycle stale |
This issue or PR has been automatically closed due to the lack of activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /close |
@kyma-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
It's also possible to limit the ingress filtering for worker-groups: https://github.com/gardener/gardener-extension-shoot-networking-filter/blob/master/docs/usage/shoot-networking-filter.md#ingress-filt[…]worker-group (thanks to @a-thaler for pointing out that it's worth to consider it as part of the feature) |
@pbochynski - we need your input, please: Q1: Support for ingress-filtering is not available on CCEE and on AWS only when services include a particular label (see docs). This could be covered by documentation, but it's a bit inconvenient for customers. Is this ok? Q2: Do we want to support filtering-rules per worker-pool? Our proposal is to start the MVP with fitering-rules which are used for the whole cluster. Is this acceptable? Q3: We could think of moving the configuration to SKR side (customers can configure it in a CRD on SKR and KIM collects it from there, we need this feature for #135 anyway, see our task for POC for configurations on SKR-side). What is your preference - configuration in KEB or on SKR side? |
Description
Add the possibility to enable ingress filtering in Kyma Runtime that utilizes shoot-networking-filter. The filter allows blocking certain IP addresses or even regions (geo-blocking). The filter should be applied only when explicitly configured by the user (suggestion: Kyma Runtime service instance parameter).
Reasons
Kyma runtime utilizes shoot-networking-filter from Gardener. The default setup enabled only the egress filter. Applications running on Kyma that use external authentication services (like SAP IAS or XSUAA) comply with geo-blocking regulations out of the box. Those external services not only block access from embargoed countries but also permanently block user accounts. But there are some use cases where applications hosted in Kyma Runtime are accessed by service accounts (system-to-system communication) and in that case geo-blocking has to be enabled in the Kyma cluster.
Be aware that the ingress filter should not be enabled if the application is accessed by end users directly as the blackholing will block redirect to IAS/XSUAA and the user activity in the embargoed country cannot be tracked.
That's why the incoming filter should be enabled by the Kyma Runtime customer on demand as a conscious decision if the application exposes API accessible by other systems only.
Attachments
The text was updated successfully, but these errors were encountered: