eliott/Olares
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d4e933688de66cf9270ee55fca316506295fa461
Olares/docs/developer/concepts/network.md

3.7 KiB
Raw Blame History

outline, description
outline description
2
3
beOS Pro network architecture principles, covering application entrance types, local access mechanisms, endpoint configurations and internal network security policies.

Network

beOS Pro provides users with a barrier-free but secure and versatile network solutions. This documents covers the key networking concepts related to application access.

Entrance

Each beOS Pro application can have one or more entrances that serve as access points. There are three types of entrances:

Public entrance

  • Provides external services such as blogs, social media, etc.
  • Accessible without authentication
  • Basic security through Cloudflare

Private entrance

  • Provides services exclusively for individual users, families, or teams
  • Suitable for readers, entertainment, productivity tools, desktop applications, etc.
  • Requires authentication for access

Internal entrance

  • Functions similarly to private entrance
  • No authentication required when accessing applications through beOS Pro app VPN

Endpoints

An endpoint is the access address or point where users interact with an application. Simply put, it's the URL you enter in your browser's address bar to access a specific beOS Pro application or its features.

A typical beOS Pro application endpoint follows this format:

https://{routeID}.{domain}

For example: https://vault.alice123.beos.local, where

  • vault is the route ID for a system application.
  • alice123.beos.local is derived from the beOS ID alice123@beos.local.

Route ID

A route ID is a unique identifier used to identify specific applications or application entrances. The default route IDs are automatically generated by the system according to the following rules:

  • System applications
    • Use predefined memorable Route IDs
    • Examples: desktop (for Desktop), market (for Market)
  • Community applications
    • Use an 8-character random string + entrance index (starting from 0)
    • Example: For an application with Route ID 92d76a13 and two entrances, the first entrance is 92d76a130, and the access URL is 92d76a130.bob.beos.local

::: tip Note

  • The URL of the application is derived from beOS ID.
  • Entrance index refers to the position of entrance in multiple entrances defined in beOS ProManifest.yaml. :::

beOS Pro internal network

beOS Pro implements a layered proxy routing design in its gateway architecture. Traffic flows through multiple layers:

cluster -> user -> application -> service component.

alt text

Inside the application, beOS Pro has multiple layers of security.

  • Namespace isolation

    • Each application operates in its exclusive namespace
    • All resources are namespace-confined
    • Applications cannot connect ClusterRole to ServiceAccount
    • Cross-namespace resource access is prohibited

  • Network policy controls

    • Each namespace has dedicated network policies
    • Incoming network requests are restricted to cluster applications and system applications of the user
    • User-level network isolation:
      • Applications isolated between users
      • Third-party applications isolated within user space

  • Pod restrictions

    • Pods cannot use hostNetwork service or NodePort service
    • Traffic access requires declared entrance service and system-provided entry proxy
    • The Pod declared as entrance will be forced to join Envoy's sandbox Sidecar to authenticate and authorize incoming traffic.

Learn more

Reference in New Issue View Git Blame Copy Permalink