Code Review / aaf / cadi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 16b2d4d)
Route Incoming TCP Traffic Via the Reverse Proxy 02/71402/1
authorIanB <IanB@amdocs.com>
Mon, 29 Oct 2018 15:05:30 +0000 (15:05 +0000)
committerIanB <IanB@amdocs.com>
Mon, 29 Oct 2018 15:31:48 +0000 (15:31 +0000)
By default any container is accessible from any pod inside
a Kubernetes cluster. It is therefore possible to send requests
directly to the primary microservice even if sidecar security
is enabled.

An additional netfilter rule will redirect any incoming TCP
requests to the Reverse Proxy. The Reverse Proxy service
listens on the hard coded port (10692)

Issue-ID: AAF-591

Change-Id: I9afccadb08add4312cef770221702942d811cbdd
Signed-off-by: IanB <IanB@amdocs.com>
sidecar/tproxy-config/src/main/bin/start.sh patch | blob | history

diff --git a/sidecar/tproxy-config/src/main/bin/start.sh b/sidecar/tproxy-config/src/main/bin/start.sh
index 758a910..054be93 100644 (file)
--- a/sidecar/tproxy-config/src/main/bin/start.sh
+++ b/sidecar/tproxy-config/src/main/bin/start.sh
@@ -22,6 +22,8 @@
 set -x
 set -eo pipefail
 
+iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-port 10692
+
 iptables -t nat -A OUTPUT -p tcp -j ACCEPT -s 127.0.0.1 --dport 61647
 iptables -t nat -A OUTPUT -p tcp -j ACCEPT --dport 9042
 iptables -t nat -A OUTPUT -p tcp -j ACCEPT --dport 9160
ARCHIVED- 2022-02-15 at the request of the project