Bindehub federation - network architecture best practices

HI all. First post here, apologies if it is not at the right place.

We’ve found ourselves in a position to host a few nodes for the federation service. I wonder if any of you can share their experiences from an infrastructure deployment of this service, specifically regarding the placement of it on the network. We’re aiming to have it live in a DMZ, as a standard published service, however I have not found much information regarding general architecture best practices, nor if the solution have any security specific considerations.

Thanks in advance!

As much as possible we try to lock down the network via network policies, so that deployments can have the same shared configuration. In general, a BinderHub deployment does not need any access to your local network outside the kubernetes cluster. Some components require access to the kubernetes API itself, and most components require access to cluster DNS.

User pods are allowed egress to the Internet on a specific set of ports, with some ban-list exceptions.

Throttling and additional restrictions according to your environment could be appropriate, depending on your needs.

Thank you for your insight minrk.

Had some time to internalize your feedback now - So to put it in infrastructure terms, no specific considerations, other than the regular ones dictated by the traffic flow required to the cluster, regular network policies, wherever they are enforced (centrally or host based, or both) are sufficient based on the nature of the service to control it’s exposure.

As for throttling, very interesting point. And a further question! As mentioned I’m way out of my knowledge zone as to what is the application of this solution in terms of use cases. Have you seen any use case generating enough data to be considered for throttling? This is also a consideration for perimeter placing of this - based on the service consumption model - IMHO.