Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature]: Dynamic IP Allowlists #85

Open
1 task done
fullykubed opened this issue Jul 25, 2024 · 0 comments
Open
1 task done

[feature]: Dynamic IP Allowlists #85

fullykubed opened this issue Jul 25, 2024 · 0 comments
Assignees
@fullykubed
Labels
feature A new feature request

Comments

@fullykubed
Copy link
Collaborator

Prior Search

  • I have already searched this project's issues to determine if a similar request has already been made.

What new functionality would you like to see?

Currently, we allow any IP to communicate with control plane utilities. We should implement an optional security enhancement that only allows communication from allowlisted IPs.

The allowed IPs should be sourced from (a) a static list defined in IaC, and (b) the user profiles defined in Authentik. This list should be continuously updated.

The following resources should be protected:

  • Kubernetes API server
  • Vault
  • Vault proxy
  • Grafana
  • Argo Web UI

Perhaps the AWS API should also be protected?

How would you use this new functionality?

This would add additional hardening that would prevent developer credentials from being used outside of their machines.
@fullykubed fullykubed added the feature A new feature request label Jul 25, 2024
@fullykubed fullykubed self-assigned this Jul 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fullykubed fullykubed

Labels
feature A new feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fullykubed