https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# general
a
This message was deleted.
q
What are your ultimate objectives?
I ask because maybe you install NeuVector, let it see and learn the rule, have a beer.
(The beer is for you, not the computers)
n
We want to be able to open certain ports, say 3306, to external traffic, on a dynamic, per-container basis
q
Interesting. What is driving or operating the dynamic part?
n
I was thinking a mutating webhook which evaluates eligibility based on a database query (details unimportant) would set a selector, And the Network Policy could apply only to targets with that selector.
I'm a Rancher and kubernetes newb so I don't know if what I'm talking about is stupidly hard, trivial and already done, etc. I'm just on a fact-finding mission
q
Would the ports change and or be random?
n
On the container or LB or whatever? No
q
Or is it more like when certain conditions are satisfied, certain containers are allowed to communicate over particular protocols?
n
Yeah, that second thing.
It's all TCP. Just a matter of port.
q
Gotcha
Sounds like a pretty cool idea.
n
We want to do some due diligence around what might get exposed to the outside world, and then let the port open when we've confirmed the service has adequate security measures.
q
I’d like to think that neuvector would be a perfect tool for that.
n
Oh really? How so? I'm supposed to evaluate Neuvector at some point anyway
q
If I wrent outside barbecuing meat right now, I would sit down at my computer and try to hack it out for you. :wink 😉
n
Hah, well, get back to that meat. 😂
q
But in my mind, imagining one or more existing network, and maybe even process rules, that you then could just flip on it off with an API call
n
Let's chat next week maybe by DM or in #neuvector-security?
🦜 1
5 Views
Open in Slack
PreviousNext
Powered by