vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-05 07:08:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
Pulse/docs/security/SENSOR_PROXY_NETWORK.md
rcourtman 2b48b0a459 feat: add --kube-include-all-deployments flag for Kubernetes agent 
Adds IncludeAllDeployments option to show all deployments, not just
problem ones (where replicas don't match desired). This provides parity
with the existing --kube-include-all-pods flag.

- Add IncludeAllDeployments to kubernetesagent.Config
- Add --kube-include-all-deployments flag and PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS env var
- Update collectDeployments to respect the new flag
- Add test for IncludeAllDeployments functionality
- Update UNIFIED_AGENT.md documentation

Addresses feedback from PR #855
2025-12-18 20:58:30 +00:00

39 lines
1.4 KiB
Markdown
Raw Blame History

# 🌐 Sensor Proxy Network Segmentation
> **Deprecated in v5:** `pulse-sensor-proxy` is deprecated and not recommended for new deployments.
> Use `pulse-agent --enable-proxmox` for temperature monitoring.
> This document is retained for existing installations during the migration window.
Isolate the proxy to prevent lateral movement.
## 🚧 Zones
* **Pulse App**: Connects to Proxy via Unix socket (local).
* **Sensor Proxy**: Outbound SSH to Proxmox nodes only.
* **Proxmox Nodes**: Accept SSH from Proxy.
* **Logging**: Accepts RELP/TLS from Proxy.
## 🛡️ Firewall Rules
| Source | Dest | Port | Purpose | Action |
| :--- | :--- | :--- | :--- | :--- |
| **Pulse App** | Proxy | `unix` | RPC Requests | **Allow** (Local) |
| **Proxy** | Nodes | `22` | SSH (sensors) | **Allow** |
| **Proxy** | Logs | `6514` | Audit Logs | **Allow** |
| **Any** | Proxy | `22` | SSH Access | **Deny** (Use Bastion) |
| **Proxy** | Internet | `any` | Outbound | **Deny** |
## 🔧 Implementation (iptables)
```bash
# Allow SSH to Proxmox
iptables -A OUTPUT -p tcp -d <PROXMOX_SUBNET> --dport 22 -j ACCEPT
# Allow Log Forwarding
iptables -A OUTPUT -p tcp -d <LOG_HOST> --dport 6514 -j ACCEPT
# Drop all other outbound
iptables -P OUTPUT DROP
```
## 🚨 Monitoring
* Alert on outbound connections to non-whitelisted IPs.
* Monitor `pulse_proxy_limiter_rejects_total` for abuse.
Reference in a new issue View git blame Copy permalink