Just going back to original question of Internal Vs External apps running from same cluster but separate pods placement using node selector/region and zone. Remember although it is same cluster, internal and external nodes will be running from their own network subnets. We might need to open required ports for openshift nodes to talk each other and talk to master.
As per our Infosec policy, Internal apps shouldn’t talk to external or vice versa. That is the reason we physically separate them using network ACL’s and allow only required ports. The question here is, since OpenShift SDN is common across nodes, am thinking any pod can communicate other pods or apps if they want. How to provide strict isolation in this case to satisfy our infosec requirement? We really don’t want to have separate cluster installation for internal and external just to satisfy this requirement as it increase API end points. I knew there is VNID which we can turn on. This provides SDN level isolation between projects. This is something better but there is a chance a client can have internal and external apps on same project. Along with VNID, we can ask our clients to have separate projects for internal and external. This can be done but not sure that is the right approach and provides benefits. What is your thoughts on strict isolation in this scenario? Any security compromise on external app will have a direct access to internal nodes as well although they running on separate subnet but openshft SDN level they can talk each? -- Srinivas Kotaru On 1/8/16, 12:54 PM, "[email protected] on behalf of Clayton Coleman" <[email protected] on behalf of [email protected]> wrote: >All of the support for this is in 1.1 except allowing each router to >have its own wildcard domain - once that's you can target regions with >different routers easily. > >> On Jan 8, 2016, at 3:41 PM, Brenton Leanhardt <[email protected]> wrote: >> >> On Fri, Jan 8, 2016 at 3:17 PM, Diego Spinola Castro >> <[email protected]> wrote: >>> What about routes,are the routers smart enough match services routes based >>> on a label? >>> Imagine having nodes spread across continents, the routing layer should >>> follow those rules ? >> >> We're working on router sharding right now actually: >> >> https://trello.com/c/DtPlixdb/49-8-router-sharding-traffic-ingress >> >> One feature of that card will allow you have a router in a namespace >> and assign it an label selector for it to monitor. >> >>> >>> 2016-01-08 17:03 GMT-03:00 Brenton Leanhardt <[email protected]>: >>>> >>>> On Fri, Jan 8, 2016 at 12:53 PM, Srinivas Naga Kotaru (skotaru) >>>> <[email protected]> wrote: >>>>> Can we span cluster nodes across 2 physical subnets? >>>>> >>>>> Reason am asking was we have few data centers and each data center host >>>>> internal and external apps. Node which hosting internal apps reside in a >>>>> different subnet than external nodes. External nodes resides in a >>>>> separate >>>>> protected network, >>>>> >>>>> As usual, internal nodes/subnet is more relaxed compare to protected >>>>> network >>>>> while talking to internal resources. External network need explicit >>>>> ACL’s to >>>>> open to connect same resources. >>>>> >>>>> We were decided to install dedicated cluster installation per data >>>>> center. >>>>> The question remain is, can we use this single install to host both >>>>> internal >>>>> and external apps by using regions/zones and node selector feature. >>>>> This >>>>> way we can designated few nodes as internal and few as external similar >>>>> to >>>>> OSE 2.X node profile by separating nodes?? >>>> >>>> The scheduler in 3.x is much more powerful than what could be done >>>> with node profiles out of the box in 2.x: >>>> >>>> >>>> https://docs.openshift.com/enterprise/3.1/admin_guide/scheduler.html#sample-policy-configurations >>>> >>>> You would likely want to use MatchNodeSelector. In addition you'll >>>> likely find the affinity and anti-affinity support very useful for >>>> ensuring work is scheduled properly across availability zones. >>>> >>>> >>>>> >>>>> Will it create any issues due to SDN? SDN will be single network might >>>>> be >>>>> sharing by both internal and external apps but this SDN is private and >>>>> am >>>>> thinking don’t pose any security issues? If required we can still use >>>>> VNDI >>>>> option to further isolation project traffic by creating separate >>>>> projects >>>>> for internal and external apps?? >>>>> >>>>> We can install separate cluster installations for internal and external >>>>> to >>>>> get full clean isolation but it further complex and double multiple API >>>>> end >>>>> points along with per data center API end points. >>>>> >>>>> Is my understanding correct or am missing anything in this whole >>>>> picture? >>>>> >>>>> >>>>> Srinivas Kotaru >>>>> >>>>> _______________________________________________ >>>>> dev mailing list >>>>> [email protected] >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >>>> >>>> _______________________________________________ >>>> dev mailing list >>>> [email protected] >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >> >> _______________________________________________ >> dev mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > >_______________________________________________ >dev mailing list >[email protected] >http://lists.openshift.redhat.com/openshiftmm/listinfo/dev _______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
