Are there any recommendations for running all of part of a ICP cluster in a DMZ

Question

Are there any recommendations for running all of part of an IBM Cloud Private cluster in a DMZ? I didn't find anything in the documentation or on stack overflow.

score 0 · Answer 1 · answered Apr 01 '19 at 15:09

I wouldnt do it.

tl;dr

I think its obvious why one wouldnt run the Master or Management Nodes in the DMZ, they arent Edge hardened (really none of it is... yes yes there are some images made to be hardened.. yada... yada... why?) and have APIs and member to member traffic that although its SSL, there are ways given time and exposure... The IT Martha Stuart in me says "IPSec VPN for cluster members is a good thing." Also, if one has workers or proxies cluster members in the DMZ, really, its sorta the same problem. Kubernetes clusters (ICP included) arent bullet proof... or even bullet resistant. They need a gateway of some kind, for sure, unless its just at toy. Put your gateway, where it belongs, in the DMZ, it should be built to run there (DataPower XG 45 or XI52 are a great example IMO). Protect your cluster members from direct access of any kind thats not routed through gateway etc etc

HTH

https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/

score 0 · Answer 2 · answered Apr 02 '19 at 16:09

0

Please take a look on ICP Architecture.

I think if you want expose your services, you would think on the proxy part of it.

See the Architecture link: https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.2/getting_started/architecture.html

answered Apr 02 '19 at 16:09

Fernnado Ewald

1
1

Are there any recommendations for running all of part of a ICP cluster in a DMZ

2 Answers2