Portworx BaaS security
Private IPs support in Portworx BaaS
A private IP address is reserved for use within a private network. Private IP addresses provide a way to uniquely identify devices on a local network without the need for a public IP address and help to increase network security by limiting the number of public-facing IP addresses on a network.
In Portworx BaaS, you can secure the the on-premises and cloud clusters that you add in the Portworx BaaS application using private IPs.
Connections
You can install the Platform agent Helm chart to initiate connection from the target cluster to the control plane. The Platform agent connects to the BaaS server and Teleport agent connects to the Teleport API server. Teleport creates a reverse tunnel to facilitate proxy connections from the BaaS control plane to the Kubernetes API server of a target cluster.
You can terminate connections by deleting the Platform agent and Teleport agent deployments.
Auto-configure target cluster
When you install the Platform agent Helm chart:
- The Platform agent starts.
- Registers the cluster at BaaS control palane server.
- Retrieves configuration details and reconfigures the following third-party components:
- Teleport agent to create a secure proxy for Kubernetes API access.
- Prometheus to push metrics to the BaaS control plane.
Network communication
The communication between the control plane and target cluster occurs through the network in the following methods:
- All network connections are egress from the target cluster. Therefore, no open ingress ports are required.
- All network connections are encrypted (TLS or SSH) and authenticated.
- Requests from the control plane to the target cluster do not establish their own connections, but are tunneled through an existing Teleport connection.
Following ports are used for the network communication:
Target | Ports | Protcols |
BaaS control plane |
|
|
Teleport server |
|
|