[RFE] support nova proxy <-> hypervisor VNC/SPICE traffic encryption
Bug #1759285 reported by
Dmitrii Shcherbakov
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Cloud Controller Charm |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Currently if TLS termination is enabled for API it only provides security for client <-> proxy connectivity.
Some improvements for that were implemented for Queens but require configuration.
https:/
https:/
Changed in charm-nova-cloud-controller: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
tags: | added: canonical-bootstack |
To post a comment you must log in.
When implementing this feature, the optional support for AUTHENTICATION using x509 client certificates should also be implemented.
Right now, the VNC port is both unencrypted and unauthenticated - anyone with network access to the compute node can connect to the VNC port and get console access. Even with encryption on, they can still do that just with an encrypted connection.
Authorization should be configured to ensure that only an authorized nova-cloud- controller novncproxy can connect to the nova-compute VNC port.