kprop across NAT boundaries (patching privsafe)
Greg Hudson
ghudson at mit.edu
Wed Jan 6 20:56:48 EST 2021
On 1/5/21 11:17 AM, Jorj Bauer wrote:
> Because the privsafe protocol bakes in the source and destination address and port, it’s not possible to run kprop through layers of NAT (without doing something that undoes the damage NAT does). In particular, I’m finding this to be one of the problems with being able to run Kerberos “for real” inside Kubernetes, where we have an F5 fronting multiple k8s clusters, whose ingresses fan out traffic to multiple pods inside each.
1.18 and 1.19 beta have this commit:
https://github.com/krb5/krb5/commit/775e496aac2650343ec20826b1ba7f6306a12f3c
Is it not sufficient?
More information about the krbdev
mailing list