Restrict unit ssh access via security groups
Bug #1842008 reported by
Andrea Ieri
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
High
|
Unassigned |
Bug Description
The default security groups that Juju generates allow ssh access from any source.
If units are all deployed in a single space, this effectively exposes port 22 to whichever other instance has been deployed in the same network.
It would be beneficial to be able to limit the source to a configurable cidr range, perhaps as a model config option.
The objective of this bug report is similar to the one of LP:1321407, although that bug report is concerned with exposed ports, whereas this is about default security groups. I therefore think the two should be kept separate.
information type: | Private Security → Public Security |
Changed in juju: | |
milestone: | 2.7-beta1 → 2.7-rc1 |
Changed in juju: | |
milestone: | 2.7-rc1 → none |
description: | updated |
To post a comment you must log in.
We have the basis for this functionality in the agent already, but it's not (yet) used when creating security groups, ie it just needs to be wired up.
eg 1.0/8,10. 10.1.0/ 8
$ juju set-firewall-rule ssh --whitelist 192.168.
The other options are "juju-controller" and "juju-applicati on-offer"
eg n-offer --whitelist 192.168.1.0/8
juju set-firewall-rule juju-controller --whitelist 192.168.1.0/8
juju set-firewall-rule juju-applicatio
The "juju-controller" rule is meant to limit client connections to the controller.
The "juju-applicati on-offer" rule is the only one currently supported fully - it is used to limit cross model consumer connections to offered applications.