Design for appliance to have multiple NICs

vmware / vic-product

vSphere Integrated Containers enables VMware customers to deliver a production-ready container solution to their developers and DevOps teams.

https://vmware.github.io/vic-product/

Other

177 stars 92 forks source link

Design for appliance to have multiple NICs #940

Open andrewtchin opened 6 years ago

andrewtchin commented 6 years ago

User Statement:

As a vSphere admin I want to segregate client and management traffic for the VIC Appliance.

Details:

Add additional NIC
Determine what work needs to be done
Explore security and networking considerations
What configuration happens during deploy and how do we determine which NIC is for management vs client traffic?

Acceptance Criteria:

[ ] Design doc created
[ ] Stories created

andrewtchin commented 6 years ago

Management:

vic-machine-server (8443)
fileserver/getting started page (80/9443)
management/admiral (8282)

Client:

fileserver/getting started page (80/9443)
registry/harbor (443/4443)
management/admiral (8282)

iptables

default DROP
disable forwarding
ACCEPT for listening services
ACCEPT for established

TODO investigate Docker/iptables requirements

enascvm commented 6 years ago

The additional iptables configuration requirement needed is to block traffic forwarding from one interface to the other. This can be implemented in a similar way as the DOCKER-ISOLATION iptables chain, i.e., one rule to drop forwarding from client net -> mgmt net and another for mgmt net -> client net.

zjs commented 5 years ago

As part of this design, we should consider whether a third interface is needed for public network connectivity to allow outbound connections from Harbor.