expose does not permit limited to a specific subnet range
Bug #1694422 reported by
Richard Harding
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
Medium
|
Achilleas Anagnostopoulos |
Bug Description
It is often more secure and better practice to only expose access to services to a specified subnet range. In this way, I could deploy my kubernetes to AWS, but limit external access to only the IP addresses from my company offices.
This entails additional flags on the expose command from the end user on either a subnet range or a list of known IP addresses that would be tied into the firewall rules when an application is exposed and the ports are opened up.
This type of work might be useful/going on for CMR work and so this might be something useful to think on in the current flight of features.
Changed in juju: | |
milestone: | none → 2.8-beta1 |
Changed in juju: | |
milestone: | 2.8-beta1 → 2.9-beta1 |
Changed in juju: | |
assignee: | nobody → Achilleas Anagnostopoulos (achilleasa) |
Changed in juju: | |
status: | In Progress → Fix Committed |
Changed in juju: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
The internal provider firewaller APIs have already been refactored to supported opening ports for specific subnets, with "open to the world" being just a case of using CIDR 0.0.0.0/0. Yes, this was done for cross model relations.
It's now relatively straight forward to adjust the internal Juju model to record a subnet range for an expose operation.