juju 2.6.10
On customer cloud, juju was bootstrapped using PCE, and subsequent model was deployed.
Upon customer security scans, it was found that the security groups being created by juju was open to ALL ingress.
On canonistack I recreated this issue. Bootstrapped juju 2.6.10 into openstack, enabled HA, and on the controller model the following ingress rules are allowed.
---
created_at='2019-11-08T17:13:15Z', direction='ingress', ethertype='IPv6', id='271a56b2-5347-4f4f-b566-73e10423e999', port_range_max='65535', port_range_min='1', protocol='tcp', remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', updated_at='2019-11-08T17:13:15Z'
created_at='2019-11-08T17:20:49Z', direction='ingress', ethertype='IPv4', id='2e5d5365-7faa-472a-b112-9dc4a1a51401', port_range_max='65535', port_range_min='1', protocol='udp', remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', updated_at='2019-11-08T17:20:49Z'
created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4', id='6c0a9381-0f7d-48fd-84cf-3a7bf6d17808', port_range_max='65535', port_range_min='1', protocol='tcp', remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', updated_at='2019-11-08T17:20:50Z
created_at='2019-11-08T17:13:14Z', direction='ingress', ethertype='IPv6', id='c091dcb6-01b6-4bb5-a949-3a6e48154be5', port_range_max='65535', port_range_min='1', protocol='udp', remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', updated_at='2019-11-08T17:13:14Z
---
this is just for the controller model. Still deploying in Canonistack.
The individual controller nodes also have a security group, but it appears to only have egress rules.
The full list of security rules in the controller model is as follows:
---
created_at='2019-11-08T17:13:14Z', direction='ingress', ethertype='IPv6', id='1aed259b-82fc-4a29-8bc4-e51ef1d87fc6', port_range_max='17070', port_range_min='17070', protocol='tcp', remote_ip_prefix='::/0', updated_at='2019-11-08T17:13:14Z'
created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4', id='2608e1dc-2519-4841-8316-ea63f63866a7', protocol='icmp', remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', updated_at='2019-11-08T17:20:50Z'
created_at='2019-11-08T17:13:15Z', direction='ingress', ethertype='IPv6', id='271a56b2-5347-4f4f-b566-73e10423e999', port_range_max='65535', port_range_min='1', protocol='tcp', remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', updated_at='2019-11-08T17:13:15Z'
created_at='2019-11-08T17:20:49Z', direction='ingress', ethertype='IPv4', id='2e5d5365-7faa-472a-b112-9dc4a1a51401', port_range_max='65535', port_range_min='1', protocol='udp', remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', updated_at='2019-11-08T17:20:49Z'
created_at='2019-11-08T17:13:13Z', direction='egress', ethertype='IPv6', id='30706ca0-4def-4fba-9b24-b0ca19336759', updated_at='2019-11-08T17:13:13Z'
created_at='2019-11-08T17:20:49Z', direction='ingress', ethertype='IPv4', id='3b65d404-b11f-4583-b741-5707fc7d6059', port_range_max='17070', port_range_min='17070', protocol='tcp', remote_ip_prefix='0.0.0.0/0', updated_at='2019-11-08T17:20:49Z'
created_at='2019-11-08T17:13:15Z', direction='ingress', ethertype='IPv6', id='4d622d41-d475-4a56-810b-9c3be35bb801', protocol='icmp', remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', updated_at='2019-11-08T17:13:15Z'
created_at='2019-11-08T17:13:13Z', direction='egress', ethertype='IPv4', id='6a990ca8-e71d-4ff0-92d1-97102907356a', updated_at='2019-11-08T17:13:13Z'
created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4', id='6c0a9381-0f7d-48fd-84cf-3a7bf6d17808', port_range_max='65535', port_range_min='1', protocol='tcp', remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', updated_at='2019-11-08T17:20:50Z'
created_at='2019-11-08T17:13:16Z', direction='ingress', ethertype='IPv6', id='aa8e23fc-5aef-4704-9ed2-d3112f6ca7f8', port_range_max='22', port_range_min='22', protocol='tcp', remote_ip_prefix='::/0', updated_at='2019-11-08T17:13:16Z'
created_at='2019-11-08T17:13:14Z', direction='ingress', ethertype='IPv6', id='c091dcb6-01b6-4bb5-a949-3a6e48154be5', port_range_max='65535', port_range_min='1', protocol='udp', remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', updated_at='2019-11-08T17:13:14Z'
created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4', id='eb3368d2-4dcf-4fad-b2c9-76640dd8ee4e', port_range_max='22', port_range_min='22', protocol='tcp', remote_ip_prefix='0.0.0.0/0', updated_at='2019-11-08T17:20:50Z'
---
As can be seen above, ports 17070 and 22 are already allowed. I don't see the need for there to be a wide open ingress rule for the controller model.
I can also confirm that this same behavior happens on cluster (non controller) model security groups.
---
created_ at='2019- 11-08T17: 31:38Z' , direction= 'ingress' , ethertype='IPv4', id='1637538c- 32c8-45e9- afa0-47b576e6f0 c7', port_range_ max='65535' , port_range_min='1', protocol='udp', remote_ group_id= '41a101b5- be2a-4aee- 9202-ecea262f27 9b', updated_ at='2019- 11-08T17: 31:38Z' at='2019- 11-08T17: 31:39Z' , direction= 'ingress' , ethertype='IPv4', id='3fb36587- 68e7-440a- 87e5-6125083ea9 ab', port_range_ max='65535' , port_range_min='1', protocol='tcp', remote_ group_id= '41a101b5- be2a-4aee- 9202-ecea262f27 9b', updated_ at='2019- 11-08T17: 31:39Z' at='2019- 11-08T17: 24:51Z' , direction= 'ingress' , ethertype='IPv6', id='7e0f3f4e- 83b5-4aae- 9e80-1fb96b41b0 17', port_range_ max='65535' , port_range_min='1', protocol='udp', remote_ group_id= '41a101b5- be2a-4aee- 9202-ecea262f27 9b', updated_ at='2019- 11-08T17: 24:51Z' | at='2019- 11-08T17: 24:52Z' , direction= 'ingress' , ethertype='IPv6', id='8a0d9843- ff61-4617- bae3-0297b62361 12', port_range_ max='65535' , port_range_min='1', protocol='tcp', remote_ group_id= '41a101b5- be2a-4aee- 9202-ecea262f27 9b', updated_ at='2019- 11-08T17: 24:52Z'
created_
created_
created_
---
This is opening all ports to all machines inside the same security group. This is still a violation of the customer's security policies.