Restrict ingress port 17070 to the controllers

Thanks, this is a known issue in the Juju network/access model. We need the ability to specify networks that have access to the controller as well as being able to handle that on the application expose ability. This is something that's been discussed for the roadmap but not yet been put on roadmap.

One note is that we'd only do this where we have an underlying firewall API to work with, such as public clouds and OpenStack but it wouldn't change in places like MAAS and LXD where there's not an underlying firewall API currently.

Note that the Juju client also talks on 17070. So while you could certainly
firewall it, you'd have to include places where you want to run 'juju
status'.

I think having both "expose Endpoint to Space/CIDR" and "model controller
as an app" would give us a good experience here.

John
=:->

On Fri, Aug 30, 2019, 03:25 Andrea Ieri <email address hidden> wrote:

> Public bug reported:
>
> The default security groups deployed by Juju allow ingress traffic on port
> 17070 from any source.
> A customer of ours has recently raised the concern that this is too open,
> and I think this could be restricted to the set of controllers, at least
> for local deployments (I imagine it might get tricky for JAAS setups).
>
> ** Affects: juju
> Importance: Undecided
> Status: New
>
> ** Information type changed from Private Security to Public
>
> --
> You received this bug notification because you are subscribed to juju.
> Matching subscriptions: juju bugs
> https://bugs.launchpad.net/bugs/1842006
>
> Title:
> Restrict ingress port 17070 to the controllers
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1842006/+subscriptions
>

This bug has not been updated in 2 years, so we're marking it Low importance. If you believe this is incorrect, please update the importance.