Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add utility to log&ban IPs #337

Open
sirdarckcat opened this issue Jul 19, 2021 · 2 comments
Open

Add utility to log&ban IPs #337

sirdarckcat opened this issue Jul 19, 2021 · 2 comments

Comments

@sirdarckcat
Copy link
Member

We can't ban IPs on TCP tasks because the Load Balancer terminates the TCP connections for us. So while we can limit (to some degree) the traffic we receive, we don't have enough visibility to know where the traffic comes from.

To make that work we need to enable https://cloud.google.com/load-balancing/docs/tcp/setting-up-tcp#proxy-protocol

This could be a simple container that just forwards packets internally and logs IPs. Blocking can be done as NetPol rules.
@sirdarckcat
Copy link
Member Author

https://cloud.google.com/vpc/docs/flow-logs#gke-external-lb-flows seems to imply there are connection logs

@sirdarckcat
Copy link
Member Author

there are, they need to be enabled https://cloud.google.com/vpc/docs/using-flow-logs#gcloud with --enable-flow-logs on the subnet creation. we use gke to create the subnet, so we maybe have to "update" the subnet once created. we probably wanna do a high aggregation rate and a low sampling as to avoid using too much logging space.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sirdarckcat