* listening services available on all addresses
Bug #1188067 reported by
Robert Collins
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Invalid
|
Wishlist
|
James Polley |
Bug Description
Because we can't [yet] depend on hardware SDN, we need to assume that all listening services will be accessible on all public ports, which some might consider a security risk:)
We can mitigate this with a host firewall that discriminates between the service network and deliberately public endpoints, or we could be super careful about defining listening service definitions.
It might be interesting to define ingress rules in Quantum and have a quantum agent that sets up host firewalls based on introspecting quantum security group data : then we could write to the quantum API across the board.
Changed in tripleo: | |
importance: | High → Critical |
assignee: | Dima Shulyak (dshulyak) → James Polley (tchaypo) |
To post a comment you must log in.
This is exacerbated by us not having unique credentials for all layers in the stack.