Comments (3)
hi @jcpunk
I had a quick look, and I am not too sure what the network policy should look like.
it seems whitelisting the apiserver for egress traffic isn't as simple as expected: cilium/cilium#20550
(seems to require specifying the CIDR of the API server IP)
I've also checked another controller (OPA Gatekeeper) to see how they do it:
https://github.com/open-policy-agent/gatekeeper/blob/b7230e0bdc3479b867acd2fd0d7192b1182c59d4/charts/gatekeeper/templates/gatekeeper-controller-manager-network-policy.yaml#L4
they only have an optional NetPol that restricts what can enter the pod, nothing for egress.
How would you see it in our case ?
from kubelet-csr-approver.
Alas, I don't know enough about what it needs networking wise...
perhaps something like:
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
- port: 443
protocol: TCP
from kubelet-csr-approver.
I think this type of network policy would more need to be enforced by the cluster operator.
also, typically the kube-apiserver pods run in hostNetwork mode, and are not covered by network policies, except when you use direct IP address.
That is not however something we can do for this project.
and regarding ingress netpol, here the only endpoint to cover is the /metrics
, and again I think this could more be covered by the cluster operator, the security "risk" associated with that endpoint is not worth implementing a default netpol IMO.
therefore closing this issue :)
from kubelet-csr-approver.
Related Issues (20)
- Omit deprecated node-role.kubernetes.io/master taint
- Error: chart "kubelet-csr-approver" matching 0.2.5 not found in kubelet-csr-approver index. HOT 1
- Consider alternate image registry to Docker Hub HOT 3
- Some certificates remain in the approved state but not approved,issued. HOT 3
- [helmchart] support artifacthub.io HOT 2
- Solve "The SAN DNS Name could not be resolved" without bypassDnsResolution HOT 7
- fix: invalid syntax in ServiceMonitor helm template HOT 4
- deploy/k8s/deployment.yaml wasn't updated HOT 2
- Node DNS name validation issue HOT 1
- Cannot run without --bypass-dns-resolution=true HOT 3
- Unable to retrieve the complete list of server APIs: certificates.k8s.io/v1 with default deployment HOT 2
- Consider adding support v1beta1 for backward compatibility HOT 2
- Feature: Add podLabels HOT 2
- Error: INSTALLATION FAILED: failed parsing --set data: error parsing index: strconv.Atoi: parsing "0-5": invalid syntax HOT 2
- Chart.yaml version, appVersion HOT 1
- Setting BypassDNSResolution also skips regex checks HOT 2
- Never approve CSR if --bypass-dns-resolution is specified HOT 5
- Feature request: option to bypass or tune SAN validation HOT 6
- Denies when hostname is not the dns name HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubelet-csr-approver.