Security: Tunnel between cattle-cluster-agent and cluster controller

Hello

We are looking to use Rancher primarily for centralized access management in a multi-cloud scenario with imported clusters.

In the architecture overview it says that the cattle-cluster-agent opens a connection/tunnel to the Rancher cluster controller. This is a concern for our security team as they usually only allow outbound connection from our DMZ unless inbound connections are absolutely needed, so they’ve asked me to clarify:

• Is there any way to use imported clusters without requiring inbound connections to the cluster controller?
• Has this tunnel been specifically pentested and/or assessed from a security perspective?
• What was the reasoning behind the decision to establish the connection/tunnel from the cattle-cluster-agent to the cluster controller and not the other way around?

• No. How is opening up “n” holes (one for every cluster) instead of a single one for the server an improvement to them?
• It’s a regular WebSocket over TLS; the cluster is identified by the api key it sends.
• The vast majority of users have much bigger problems with requiring every cluster to be reachable from the server rather than the one server be reachable from every cluster.
  • Restricted inbound to a cluster is a naturally-occurring situation in a private network/behind a NAT, with no particularly desirable solutions possible.
  • Restricting outbound communication from a cluster is non-existent by default, has to be specifically setup, and if you’re setting it up you can just add an exception, of which you probably already need many for the cluster to do anything useful like pull images.
  • If you want to be able to talk to the API for anything (including the UI), the server needs to be exposed to all those users anyway.

Thanks vincent, that makes it clearer!

@dlandtwing In near my eyes view there no way to use imported clusters. It is regular WebSocket over TLS the cluster is identified by the api key it sends.