We have deployed Postgres instances for customers in Kubernetes in individual namespaces. Some of our customers want to access these from their own Azure tenants, which are not administered by us. For this, we thought of providing a Kubernetes-internal load balancer with a private links service, to which the customer was offered a private endpoint in their Azure environment.
This is working in a test environment with two test customers so far, but currently, customers could establish a network connection to both PostgreSQL instances because they are connected via the same private link service. Since the source IP address of the load balancer arrives in the Kubernetes cluster, it is difficult to define network rules for this.
Can we somehow distinguish the incoming connections so that we can create network rules to grant customers access only to their own Postgres instance?
Right now, weΒ΄re stuck with either having very limited scaling capacity (8 PrivateLinks) or limited security (segregation only via port assignment)
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
We have deployed Postgres instances for customers in Kubernetes in individual namespaces. Some of our customers want to access these from their own Azure tenants, which are not administered by us. For this, we thought of providing a Kubernetes-internal load balancer with a private links service, to which the customer was offered a private endpoint in their Azure environment.
This is working in a test environment with two test customers so far, but currently, customers could establish a network connection to both PostgreSQL instances because they are connected via the same private link service. Since the source IP address of the load balancer arrives in the Kubernetes cluster, it is difficult to define network rules for this.
Can we somehow distinguish the incoming connections so that we can create network rules to grant customers access only to their own Postgres instance?
Right now, weΒ΄re stuck with either having very limited scaling capacity (8 PrivateLinks) or limited security (segregation only via port assignment)