SAP-archive / karydia

Kubernetes Security Walnut
Other
77 stars 10 forks source link

Filter for in- and outgoing network traffic #267

Open ThormaehlenFred opened 4 years ago

ThormaehlenFred commented 4 years ago

Description

Filter for in- and outgoing network traffic as configurable Karydia feature

User Story

As Kubernetes cluster owner I want to prevent applications and users from reaching remote hosts or from being reached by remote hosts in order to mitigating DDoS attacks, avoiding SPAM, blocking access to or from services for specific geographic regions and so on.

Implementation Idea

This kind of filtering is discussed in the Kubernetes community already in recent blog postings (see Performance Benchmark Analysis of Egress Filtering on Linux and BPF Isn't Just About Speed. The idea is that one or more Reputation Block Lists are received via HTTPS and a REST based API and are transformed in Cilium or other technology based network filters.

alban commented 4 years ago

Does this REST based API already exist or does it need to be designed? If it exists, it would be good to see documentation with the endpoints, the input/output formats, authentication, whether there is pagination.

Possible list of tasks:

CodeClinch commented 4 years ago

The authentication information should be stored in the secure store.

ThormaehlenFred commented 4 years ago

Hello @alban there might be two parts:

  1. generic part which helps vanilla K8s clusters via own configuration to do the filtering
  2. Gardener specific part which provides Gardener managed K8s clusters a central (company) defined configuration which can be consumed by the first part