search

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
6.67k stars 534 forks source link

Add `cluster.network.podSubnets` to default-allow ruleset of ingress firewall #8945

Open TimJones opened 3 months ago

TimJones commented 3 months ago

Feature Request

Description

Currently podA on nodeA can access any network service on nodeB if KubeSpan is enabled, but podB on nodeB cannot since the source is no longer the KubeSpan network, but the real podB IP address which will reside in the cluster.network.podSubnets CIDR(s).

Since using the Talos Ingress Firewall in block mode explicitly whitelists traffic over the KubeSpan network, it makes sense to me to also include the cluster.network.podSubnets in the same whitelist.

smira commented 3 months ago

I'm torn on this one - on one hand it makes sense, but on other hand it feels like just matching by source address is not a secure by default option, as the packet might come even from an external interface and have a pod IP source address.

So there's no technical issue to implement it to work this way, but is there a better alternative? idk

TimJones commented 3 months ago

Good point, I hadn't thought about the source IP matching from any external source. Ther isn't a guaranteed source interface either like we have with KubeSpan :/