Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict access to the kube-proxy to local pod connections only #516

Merged
merged 4 commits into from
Mar 4, 2024
Merged

Restrict access to the kube-proxy to local pod connections only #516

merged 4 commits into from
Mar 4, 2024

Conversation

donatwork
Copy link
Contributor

Description

This PR consists of three items:

  1. Restrict the access of the kube-proxy port to only connections within the client pod.
  2. Update cert-persister version to the latest build and what we are testing now.
  3. Set image pull policy to reduce image downloads.

GitHub Issues

GitHub Issue #
1029

Checklist:

  • I have performed a self-review of my own code to ensure there are no formatting, vetting, linting, or security issues
  • [XI have verified that new and existing unit tests pass locally with my changes
  • I have not allowed coverage numbers to degenerate
  • I have maintained at least 90% code coverage
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • I have maintained backward compatibility

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

  1. Deployed the client and validated that the access to the proxy from outside the pod, within the cluster is blocked. The service is not exported outside the cluster.
  2. Onboarded the cluster and validated that the discovery of the cluster objects was successful, including newly created objects. Checked the client pod logs to validate that incoming watcher connections are being established.

jooseppi-luna
jooseppi-luna approved these changes Mar 4, 2024
View reviewed changes
Copy link
Contributor

@jooseppi-luna jooseppi-luna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@donatwork donatwork merged commit f269388 into main Mar 4, 2024
8 checks passed
@donatwork donatwork deleted the bug-apexclient-access branch March 4, 2024 15:42
@donatwork donatwork mentioned this pull request Mar 14, 2024
Merged
8 tasks
ChristianAtDell added a commit that referenced this pull request Oct 15, 2024
@ChristianAtDell
Restrict access to the kube-proxy to local pod connections only (#516)
25bbade 
* Restrict apex client network access to localhost.
* Update image pull policy.
* Update cert-persister to latest image.
---------
Co-authored-by: Jooseppi Luna <jooseppi_luna@dell.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alikdell alikdell alikdell approved these changes

@jooseppi-luna jooseppi-luna jooseppi-luna approved these changes

@abhi16394 abhi16394 Awaiting requested review from abhi16394 abhi16394 is a code owner

@mbasha-dell mbasha-dell Awaiting requested review from mbasha-dell mbasha-dell is a code owner

@bharathsreekanth bharathsreekanth Awaiting requested review from bharathsreekanth bharathsreekanth is a code owner

@chimanjain chimanjain Awaiting requested review from chimanjain chimanjain is a code owner

@coulof coulof Awaiting requested review from coulof coulof is a code owner

@Deepak-Ghivari Deepak-Ghivari Awaiting requested review from Deepak-Ghivari Deepak-Ghivari is a code owner

@gallacher gallacher Awaiting requested review from gallacher gallacher is a code owner

@HarishH-DELL HarishH-DELL Awaiting requested review from HarishH-DELL HarishH-DELL is a code owner

@JacobGros JacobGros Awaiting requested review from JacobGros JacobGros is a code owner

@karthikk92 karthikk92 Awaiting requested review from karthikk92 karthikk92 is a code owner

@kumarkgosa kumarkgosa Awaiting requested review from kumarkgosa kumarkgosa is a code owner

@bandak2 bandak2 Awaiting requested review from bandak2 bandak2 is a code owner

@mjsdell mjsdell Awaiting requested review from mjsdell mjsdell is a code owner

@nitesh3108 nitesh3108 Awaiting requested review from nitesh3108 nitesh3108 is a code owner

@Prabhu-Dell Prabhu-Dell Awaiting requested review from Prabhu-Dell Prabhu-Dell is a code owner

@rajendraindukuri rajendraindukuri Awaiting requested review from rajendraindukuri rajendraindukuri is a code owner

@rajkumar-palani rajkumar-palani Awaiting requested review from rajkumar-palani rajkumar-palani is a code owner

@shefali-malhotra shefali-malhotra Awaiting requested review from shefali-malhotra shefali-malhotra is a code owner

@panigs7 panigs7 Awaiting requested review from panigs7 panigs7 is a code owner

@tdawe tdawe Awaiting requested review from tdawe tdawe is a code owner

@shaynafinocchiaro shaynafinocchiaro Awaiting requested review from shaynafinocchiaro shaynafinocchiaro is a code owner

@atye atye Awaiting requested review from atye atye is a code owner

@sharmilarama sharmilarama Awaiting requested review from sharmilarama sharmilarama is a code owner

@shanmydell shanmydell Awaiting requested review from shanmydell shanmydell is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@donatwork @jooseppi-luna @alikdell