Security
IP firewall
Kokomo services can be secured with mTLS and IP firewalling. Here we will discuss the latter.
IP firewall
With Kokomo you can expose a service and by default it will be accessible by every IP unless you configure the IP firewall. The notion that Kokomo uses to identify "every IP" is 0.0.0.0
.
Whenever you see 0.0.0.0.
it means that every IP can consume your service, and it always takes precedence over every other IP rule.
Configuring the IP firewall
When you are exposing a service with Kokomo you can instruct the CLI agent to only whitelist specific IP addresses by using one or more occurrences of the --allow-ip
argument:
$ kokomo \
--service-name "redis" \
--local-port 1234 \
--remote-port 1234 \
--allow-ip 1.1.1.1 \
--allow-ip 2.2.2.2 \
--api-key [APIKEY]
To enable IP firewalling the following arguments need to be passed:
--allow-ip
, which you can use more than once, or the environment variableKOKOMO_IP_ALLOW=192.168.0.1
. If you use the environment variable, you can add a list of comma separated IPs likeKOKOMO_IP_ALLOW=1.1.1.1,2.2.2.2
.
After we start the agent with the following arguments, Kokomo will provision our infrastructure and it will validate that only the allowed IP addresses can use your exposed service. If you use the 0.0.0.0
anywhere in the combination of allowed IPs, this will enable your exposed service to be consumed by everyone.