Closed cirocosta closed 4 years ago
merging it directly to reflect the current state
w/ regards to "why to go w/ internal connection for connecting to tsa
: it turns out that calico (I guess?) puts an external constraint on communications to even external services:
# matches tcp conns to our external load-balancer - once matched, gets us to the
# `KUBE-FW-blabla` rule.
#
-A KUBE-SERVICES \
-d 34.68.37.70/32 \
-p tcp \
-m comment --comment "ci/ci-web:tsa loadbalancer IP" \
-m tcp --dport 2222 \
-j KUBE-FW-3WZFA3OBZWICIHEP# in this "catch anyone that landed here" rule, we jump to the "mark to drop"
#
-A KUBE-FW-3WZFA3OBZWICIHEP \
-m comment --comment "ci/ci-web:tsa loadbalancer IP" \
-j KUBE-MARK-DROP# mark drop just puts a mark so that a "catch all with this mark" rule can than
# act on it.
#
-A KUBE-MARK-DROP \
-j MARK --set-xmark 0x8000/0x8000# acting on those marked as `0x8000`: drop!
#
-A KUBE-FIREWALL \
-m comment --comment "kubernetes firewall for dropping marked packets" \
-m mark --mark 0x8000/0x8000 \
-j DROP
^ (from the host)
Thus, the final condition is to:
ci-web
pod in the ci
namespace
Hey,
This PR is intended to allow the
prs
pipeline to co-exist withnci
in thehush-house
gke cluster.it does so by:
ci-workers-pr
) whose size is the same as we had previously in our BOSH deploymentci-pr
) that puts workers in such node pool.As such deployment is supposed to run untrusted workloads, we needed a way of restricting the network access that this deployment could have in order to avoid lateral movements in the internal net (in the case of our BOSH environment, we had a totally different network - in k8s, we'd need to be in a separate cluster if we wanted to go w/ the same approach of different nets).
This led us to enabling the enforcement of network policies in the cluster, and creating a policy for
ci-pr
that would target the pods delpoyed by it, effectively blocking internal connectivity to anything we didn't want (i.e., anything that's not ci's TSA).ps.: these changes have already been applied.
related: https://github.com/concourse/prod/issues/36