Restrict ingress port 17070 to the controllers
Bug #1842006 reported by
Andrea Ieri
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
The default security groups deployed by Juju allow ingress traffic on port 17070 from any source.
A customer of ours has recently raised the concern that this is too open, and I think this could be restricted to the set of controllers, at least for local deployments (I imagine it might get tricky for JAAS setups).
information type: | Private Security → Public |
information type: | Public → Public Security |
Changed in juju: | |
importance: | Low → Wishlist |
To post a comment you must log in.
Thanks, this is a known issue in the Juju network/access model. We need the ability to specify networks that have access to the controller as well as being able to handle that on the application expose ability. This is something that's been discussed for the roadmap but not yet been put on roadmap.
One note is that we'd only do this where we have an underlying firewall API to work with, such as public clouds and OpenStack but it wouldn't change in places like MAAS and LXD where there's not an underlying firewall API currently.