No documentation about security & firewall use
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
New
|
Undecided
|
Fuel Documentation Team |
Bug Description
We need to document how to implement MOS in a secure environment, with external, out-of-band firewall.
As a initial assumption, IMO we should assume typical firewall usage, described below.
Firewall - central point of the network communication, with various "DMZ" zones:
Fuel master node - DMZ zone 1
CIC nodes HA setup - DMZ zone 2
Nova-Compute hosts - DMZ zone 3
Ceph monitors - DMZ zone 4
Ceph OSD storage hosts - DMZ zone 5
Horizon UI - DMZ zone 6 (not deployed on CIC nodes, like in default config)
CIC / MOS Services: all possible services enabled, including Neutron L3 agent, LBaaS, Sahara, Murano, Heat, Ceilometer+MongoDB
Detailed zones/node placing could be discussed during laboratory tests.
Expected outcome regarding documentation:
Detailed specifications of network connectivity/TCP flows/UDP flows requirements per service, required for normal cluster operations.
We assume that only required ports/flows are permitted, all others are DENIED at the end of every DMZ firewall rule.
We assume that firewall is statefull regarding to TCP connectivity.
Changed in fuel: | |
assignee: | nobody → Fuel Documentation Team (fuel-docs) |
milestone: | none → 6.1 |