Bug 1467802 - [RFE] Deny egress connections to nodes from pods (except DNS traffic)
Summary: [RFE] Deny egress connections to nodes from pods (except DNS traffic)
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.4.1
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: ---
Assignee: Eric Paris
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-05 08:09 UTC by Carsten Lichy-Bittendorf
Modified: 2019-06-12 11:57 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-12 11:57:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Carsten Lichy-Bittendorf 2017-07-05 08:09:45 UTC 
Proposed title of this feature request
 - Deny egress connections to nodes from pods (except DNS traffic)

Who is the customer behind the request?
 -    Account: name (acct #): La Poste - 5366280
 -    TAM customer: yes

What is the nature and description of the request?
 - the customer likes to protect nodes from potential malicious attacks from pods
 - today, connections from pod to nodes are mandatory due to DNS traffic (DNS feature is implemented by DNSMASQ on each node),
 - today, EgressNetworkPolicy rules are limited to ip only, which requires customer to allow all traffic to the nodes (and not only DNS traffic)

Why does the customer need this? (List the business requirements here)
 - to meet security requirements

How would the customer like to achieve this? (List the functional requirements here)
 - by an enhancement of the EgressNetworkPolicy to allow implicit DNS traffic (port 53) to nodes.

For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
 - configure an EgressNetworkPolicy without allowing traffic to nodes (just Deny on cidrSelector: 0.0.0.0/0) and try DNS resolution in pods.

Is there already an existing RFE upstream or in Red Hat Bugzilla?
 - Non found so far

Does the customer have any specific time-line dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
 - ASAP

Is the sales team involved in this request and do they have any additional input?
 - Sales is looped in, so no further input.

List any affected packages or components.
 - EgressNetworkPolicy

Would the customer be able to assist in testing this functionality if implemented?
 - yes
Comment 4 Kirsten Newcomer 2019-06-12 11:57:20 UTC 
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.
Note You need to log in before you can comment on or make changes to this bug.