matdevdug, 5 months ago

@thisismissem Possibly a dumb question. What is the concern that you are trying to address? That your cluster would establish contacts with IPs not in a specific range?

thisismissem, 5 months ago

@matdevdug more that the URL received could be used to target internal resources

matdevdug, 5 months ago

@thisismissem Ah I gotcha. So I use a service mesh for this. Basically you set up linkerd and set a policy of “this pod is allowed to talk to x y z”. https://linkerd.io/2.14/tasks/restricting-access/

You can also use Istio for this: https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/

Typically you have some sort of cut out. So like I’m receiving a ton of untrusted data on API route /foo. It routes to my service bar. Bar is allowed to talk to RabbitMQ. Another consuming service has a certificate signed to allow communication with rabbit but not directly from foo. All the core k8s APIs are protected.

thisismissem, 5 months ago

@matdevdug hmm, but this is outbound traffic; basically I'm receiving untrusted media URLs, then downloading that media to a private S3 bucket

matdevdug, 5 months ago

@thisismissem For sure but is the concern that you would receive a URL crafted to attempt to get information about your cluster? Or is the concern that you’d get a URL that resolves to a target you didn’t expect?

If 1, then Linkerd. If you know all the expected targets and want to restrict outbound traffic to those, Istio is what you want. Unfortunately k8s doesn’t have an API for egress baked in.