Global network considerations
...
Quick overview
External network access
Only web servers need to be reachable by end users. User access should go via an HTTPS proxy, proxying/load balancing request to GoDocker web servers. Web servers need read access to the shared directory.
Firewalls should only leave HTTPS port (443) open to web servers.
If go-d-ftp is used, then FTP port (according to configuration) should also be opened. FTP needs read and write access to the shared directory
For interactive jobs, users can connect via SSH to the container. To do so, it is advised to setup a SSH gateway server where user will connect before jumping to the container. This gateway would be in a DMZ and acting only as SSH frontend. SSH Gateway should limit outbound connection to cluster nodes and in defined port range.
User =(HTTPS) ==> Web proxy =(HTTP) ===> Web servers
=(FTP)==> FTP server
=(SSH)==> SSH Gateway =(SSH)==> Nodes with containers
If user opens a port in a container, port will be mapped to a node port within allowed port range. As cluster nodes do not usually have public IP addresses, port is not directly reachable. User may need to connect to SSH gateway and locally contact the container port (via a browser, application, ...)
Internal network access
Databases and status handlers (etcd, consul, ...) should have limited access. Only web server, ftp, scheduler and watcher nodes should have inbound access.
Scheduler and watcher nodes needs read/write access to shared directory.
Scheduler and watcher nodes needs inbound connection access to the selected executor (mesos master/slaves, swarm, kubernetes master).
Web server processes must have access to cluster nodes (to query cAdvisor or mesos slaves)
End users must not have direct access (ssh) to the cluster nodes.
Security and network considerations
...