You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm currently trying to resolve some issues with routing to rabbitmq running within our cluster and found that upgrading from k8s 1.20 to 1.21 knocked out connectivity. It was restored when I added an additional port config to the nginx-ingress daemonset (extraneous config removed for brevity) :
Looking at the docs, the recommended resolution here is to enable hostNetwork: true in the RKE config. However, I'm uncertain if this is a secure choice. A quick search for docs around this yielded two relevant items, one from nginx themselves and another from OWASP.
The host network or process space should NOT be used - using hostNetwork: true will cause NetworkPolicies to be ignored since the Pod will use its host network
Enabling this option exposes every system daemon to the Ingress-Nginx Controller on any network interface, including the host's loopback. Please evaluate the impact this may have on the security of your system carefully
I'm not an expert in this area so I wanted to validate before proceeding. After all, the change made above does enable connectivity but maybe there's a more appropriate way to do it. Any guidance or clarification on this would be awesome. Please let me know if there's any additional context or information I can provide.
Thanks!
The text was updated successfully, but these errors were encountered:
Hi there,
I'm looking at the documentation surrounding configuring ingress controllers and wanted to get some clarification on the line:
There's been some discussion around adding this in prior issues:
I'm currently trying to resolve some issues with routing to rabbitmq running within our cluster and found that upgrading from k8s 1.20 to 1.21 knocked out connectivity. It was restored when I added an additional port config to the nginx-ingress daemonset (extraneous config removed for brevity) :
Looking at the docs, the recommended resolution here is to enable
hostNetwork: true
in the RKE config. However, I'm uncertain if this is a secure choice. A quick search for docs around this yielded two relevant items, one from nginx themselves and another from OWASP.Quoting OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html#continuously-assess-the-privileges-used-by-containers:
And from nginx - https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network:
I'm not an expert in this area so I wanted to validate before proceeding. After all, the change made above does enable connectivity but maybe there's a more appropriate way to do it. Any guidance or clarification on this would be awesome. Please let me know if there's any additional context or information I can provide.
Thanks!
The text was updated successfully, but these errors were encountered: