This issue tracks the progress on implementing StaticRoute CRs in STUNner.
A main security feature of STUNner is that it allows clients to access only a selected set of peers through TURN. This makes sure that, even possessing a valid TURN credential, clients may access only the peers explicitly exposed via a UDPRoute.
Currently the only way to specify the allowed peer IPs is via a standard Kubernetes Service: adding a Service to the backendRefs of a UDPRoute will allow clients to access all the Service's pods via STUNner. In addition, this mechanism supports specifying the permitted peer IPs as DNS domains (via Type ExternalName services) or fully specified IP addresses (via selectorless Services).
Unfortunately, currently there is no way to define specific lists of IP prefixes as backends. This will create problems if someone wishes to deploy STUNner as a public TURN server, since in such cases there is no Kubernetes Service that would be usable as a backendRef.
The goal is to implement a StaticRoute custom resource that would allow users to specify a static IP prefix list to which STUNner should permit client access. For instance, the below StaticRoute would allow access to any backend via the udp-gateway and tcp-gateway Gateways.
rg0now
commented
1 year ago
This issue tracks the progress on implementing StaticRoute CRs in STUNner.
A main security feature of STUNner is that it allows clients to access only a selected set of peers through TURN. This makes sure that, even possessing a valid TURN credential, clients may access only the peers explicitly exposed via a UDPRoute.
Currently the only way to specify the allowed peer IPs is via a standard Kubernetes Service: adding a Service to the
backendRefsof a UDPRoute will allow clients to access all the Service's pods via STUNner. In addition, this mechanism supports specifying the permitted peer IPs as DNS domains (via Type ExternalName services) or fully specified IP addresses (via selectorless Services).Unfortunately, currently there is no way to define specific lists of IP prefixes as backends. This will create problems if someone wishes to deploy STUNner as a public TURN server, since in such cases there is no Kubernetes Service that would be usable as a
backendRef.The goal is to implement a StaticRoute custom resource that would allow users to specify a static IP prefix list to which STUNner should permit client access. For instance, the below StaticRoute would allow access to any backend via the
udp-gatewayandtcp-gatewayGateways.Note: static routes are fully supported in
stunnerdviaSTATICtype clusters, the only missing piece is exposing this feature via the control plane.