tapis-project / pods_service

Network Accessible Pods API.
https://tapis.readthedocs.io/en/latest/technical/pods.html
BSD 3-Clause "New" or "Revised" License
1 stars 1 forks source link

KG 0.35 - Need to isolate pods from network sans their open ports. #16

Open NotChristianGarcia opened 2 years ago

NotChristianGarcia commented 2 years ago

Currently I believe arbitrary code can do basically anything to our cluster. Isolation via namespace does work, but in that case we need to move spawner into it's own namespace (pods can still talk to each other though).

Note: This is also important for Abaco.

NotChristianGarcia commented 2 years ago

There's a network plugin that might be useful? (requires a plugin though) https://www.qovery.com/blog/basic-network-isolation-in-kubernetes

Also mention of a networking sidecar, that could be useful instead.