Provide overview of egress endpoints

[tomkerkhove]

Provide overview of egress endpoints that cluster operators should be aware of and allow.

[tomkerkhove]

@kedacore/keda-maintainers Do you have an idea of the endpoints that should be allowed for egress?

[JorTurFer]

What do you want to achieve? I mean, is this to allow the traffic in network policies or similar?
If yes, it depends on the scaler specifically , maybe we could add a section on every scaler explaining that. In some cases are defined (ex Azure or AWS, etc) and in other cases are user defined (sql servers, prometheus, etc)

[tomkerkhove]

What do you want to achieve? I mean, is this to allow the traffic in network policies or similar?

Some end-users or cloud providers lock down the services they can consume from within a cluster. Depending on the scaler that is being used, that can mean that our scalers will fail because of it.

Examples:

• https://docs.openshift.com/container-platform/4.9/networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.html
• https://projectcalico.docs.tigera.io/about/about-kubernetes-egress
• https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic#background

If yes, it depends on the scaler specifically , maybe we could add a section on every scaler explaining that. In some cases are defined (ex Azure or AWS, etc) and in other cases are user defined (sql servers, prometheus, etc)

Yes, that's what I was thinking as well.

[JorTurFer]

Sounds totally reasonable. My concert here is how to maintain up to date the external vendors' endpoint, but maybe we could point to their specific documentation in case of existing 🤔
But I think this is a fantastic idea from security pov

[tomkerkhove]

Yes, I'd use links to their official documentation so that people have guidance on it and make it a "requirement" for new scaler docs to include them.

[tomkerkhove]

The only question I have is, do we:

• Add it to every individual scaler doc page, or
• Provide a dedicated overview in Operate

I'm leaning towards the latter as the audience for our scaler pages are different from the Operate where cluster admins will not go through all scaler pages.

[JorTurFer]

Maybe we could add a section in Operate saying that each scaler has its own info. Basically because having the info closest to the scaler could be more useful to check/maintain it
WDYT?

[tomkerkhove]

What if the cluster admin doesn't know what scalers are being used or wants to allow all of them?

[JorTurFer]

Could we generate a summary in base of scaler automatically? 🤔

[tomkerkhove]

I think the main question is, who's the audience? Do devs care about this? I doubt it, to be honest.

We can add a link to the operate page in every scaler doc as well :)

[JorTurFer]

That's another option 😄

[arschles]

We can add a link to the operate page in every scaler doc as well :)

Seems like the best way to get started IMO