mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-02-18 00:17:39 +01:00
2b48b0a459
Adds IncludeAllDeployments option to show all deployments, not just problem ones (where replicas don't match desired). This provides parity with the existing --kube-include-all-pods flag. - Add IncludeAllDeployments to kubernetesagent.Config - Add --kube-include-all-deployments flag and PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS env var - Update collectDeployments to respect the new flag - Add test for IncludeAllDeployments functionality - Update UNIFIED_AGENT.md documentation Addresses feedback from PR #855
1.4 KiB
1.4 KiB
🌐 Sensor Proxy Network Segmentation
Deprecated in v5:
pulse-sensor-proxyis deprecated and not recommended for new deployments. Usepulse-agent --enable-proxmoxfor temperature monitoring. This document is retained for existing installations during the migration window.
Isolate the proxy to prevent lateral movement.
🚧 Zones
- Pulse App: Connects to Proxy via Unix socket (local).
- Sensor Proxy: Outbound SSH to Proxmox nodes only.
- Proxmox Nodes: Accept SSH from Proxy.
- Logging: Accepts RELP/TLS from Proxy.
🛡️ Firewall Rules
| Source | Dest | Port | Purpose | Action |
|---|---|---|---|---|
| Pulse App | Proxy | unix |
RPC Requests | Allow (Local) |
| Proxy | Nodes | 22 |
SSH (sensors) | Allow |
| Proxy | Logs | 6514 |
Audit Logs | Allow |
| Any | Proxy | 22 |
SSH Access | Deny (Use Bastion) |
| Proxy | Internet | any |
Outbound | Deny |
🔧 Implementation (iptables)
# Allow SSH to Proxmox
iptables -A OUTPUT -p tcp -d <PROXMOX_SUBNET> --dport 22 -j ACCEPT
# Allow Log Forwarding
iptables -A OUTPUT -p tcp -d <LOG_HOST> --dport 6514 -j ACCEPT
# Drop all other outbound
iptables -P OUTPUT DROP
🚨 Monitoring
- Alert on outbound connections to non-whitelisted IPs.
- Monitor
pulse_proxy_limiter_rejects_totalfor abuse.