Isolate kubernetes-dashboard from all pods but traefik; Solve #993 (!272) · Merge requests · kaapana / kaapana

Lorenz Feineis requested to merge hotfix/enable-rbac into develop Jan 16, 2024

THIS IS A HOTFIX FORKED FROM MASTER! DO NOT REBASE ONTOP OF DEVELOP!

The kubernetes-dashboard was accessible via http from all pods. Since the kubernetes-dashboard is just a proxy to the kubernetes API, this allowed access to modify all resources in the cluster.

I included network policies to only allow ingress from pods with the label app: traefik. Ingress from traefik must be allowed to use the Kubernetes UI in the browser.

The egress network policy is necessary such that the kubernetes-dashboard can communicate with the kube-apiserver.

Isolate kubernetes-dashboard from all pods but traefik; Solve #993

Merge request reports