Restrict network access from openshift projects to databases

[yeplaa]

Hello,

From Openshift Origin, i use huaweicloud-service-broker for provision RDS Mysql and DCS Redis on Flexible Engine OBS. In my context, i use it in cluster mode available for all projects in the openshift cluster. The databases will be deployed in the same Flexible Engine tenant, VPC for all projects.

Curently, every openshift projects can access to every databases provisioned by the Broker. Indeed, I have to allow all IPs of all openshift nodes to access all databases via the security group. Only users / passwords allow to limit the connections. Is there an object, a configuration that would allow network flows to a database only for the openshift project that provisioned the database instance?

Thank's Loïc

[edisonxiang]

Hello @yeplaa

Thanks your issue. Currently the service broker is provided for the one tenant on the cloud, and OpenShift as a PaaS platform is running above the cloud and the network vpc. and OpenShift has the namespace/project inner its platform. So the network vpc in one tenant is not sensitive for the OpenShift namespace/project :) Is it possible to manage serviceinstance and servicebinding in the different OpenShift namespace/project to make isolation?

What do you think about that?

[yeplaa]

Hello @edisonxiang

Thank's for your reply. In the context that I study, many customers have an account on the Paas Openshift. Every customer has their project / dedicated namespace. Each project has his own serviceinstance/servicebinding without see the serviceinstance of others projects.

But each project can try to access the databases of others projects because the networks flows are open although it does not have the username/passwords of other projects. Do you understand my problem?

Thank's Loïc