Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5964

RHACS: Show Destination/Source for External Entities

XMLWordPrintable

    • False
    • None
    • False

      1. Proposed title of this feature request

      Show Destination/Source for External Entities

      2. What is the nature and description of the request?

      The Network Graph of RHACS shows any connection flow, which is not well-known as External Entities. However, the only information RHACS shows about this external traffic are: network port and network protocol. Unless the destination is either a well-known connection like AWS, or the RHACS administrator manually configured additional CIDR blocks, no destination or source address is visible in RHACS. Port and protocol are not enough to identify possible risky connections.

      Expectation: It is expected that the network graph shows the full information of a traffic flow, which means it should also show the destination or source address of a certain connection. The customer would like to use the graph to exactly verify which traffic is leaving/entering the cluster and to do this the address must be visible. 

      Since CIDR blocks can be configured manually, the address information must be already known somewhere. 

       

      Justification: The information about the destination/source address is incredibly important for users who must verify the network traffic. Without this information the traffic flow to any external entity, except to predefined well-known, or to CIDRs which must be known and configured by the customer manually, does not have any value. The customer is expecting to use one tool to verify the network traffic flow, without the need to install additional software. 

       

      In the image above the namespace Gitops, which is hosting an ArgoCD instance, makes constant connections to Github. However, an user has no possibility to verify this connection, because the only information shown is a connection to port 443. 

       

      Moreover, a user now observes that some external traffic is happening, but not to where. This traffic flow might be a security flaw and someone is downloading data which must be prohibited. Without the information about the destination address it is not possible to debug this connection via RHACS. 

       
      3. Why does the customer need this? (List the business requirements here)

      Justification: The information about the destination/source address is incredibly important for users who must verify the network traffic. Without this information the traffic flow to any external entity, except to predefined well-known, or to CIDRs which must be known and configured by the customer manually, does not have any value. The customer is expecting to use one tool to verify the network traffic flow, without the need to install additional software. 

      4. List any affected packages or components.

      Network graph in RHACS UI

       

      Please note that this Jira is part of a larger group of issues raised by BRZ, and you can find more information in this google document

            rh-ee-masimonm Maria Simon Marcos
            astrouse@redhat.com Aaron Strouse
            Anjali Telang, Boaz Michaely, Doron Caspin, JP Jung, Maria Simon Marcos, Shubha Badve
            ACS Collector
            Votes:
            3 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated: