https://www.ory.sh/ logo
#talk-kratos
Title
# talk-kratos
b

brainy-plumber-70688

05/06/2022, 8:06 PM
What's a common way to protect admin api?
d

damp-sunset-69236

05/09/2022, 7:59 AM
Hello. You can protect them using ingress controller like nginx/istio/envoy. You have two options: 1. Don’t expose them 2. Add an additional level of security (basic auth, make them open for ip ranges)
b

brainy-plumber-70688

05/10/2022, 7:47 PM
I was thinking more about from within the network. Say it's running in k8s pod, then technically anyone who can
exec
into this pod has access to it.
mainly to prevent misuse, since if someone has access to pod, then that someone has access to database anyway.
d

damp-sunset-69236

05/11/2022, 8:43 AM
I see what you mean. What Cloud provider do you use?
I solved almost the same case a year ago. The idea to increase security lies in using service accounts with AWS IAM policies. You can set up CI/CD pipeline for yourself, use a service account within the pipeline and restrict access to the rest of a team.
b

brainy-plumber-70688

05/11/2022, 10:27 PM
@damp-sunset-69236 I'm working on on-prem thing 😞 That could be a VM with docker or k8s cluster. So I don't know where it's going to run. I have a daemon that gets configuration from my other services and starts Kratos & Hydra. I probably can use that to proxy requests to kratos private API listening on UDS.
7 Views