Default Model SG Rules
Samuel Cozannet
samuel.cozannet at canonical.com
Fri Jan 27 17:45:13 UTC 2017
I am having similar questions / requests from other users, so +1 from me
(actually +3). Plus I like the sshallownes of ssh-allow.
Another request I have heard is get the ability to associate an IAM role
attached to the instances. Currently Juju doesn't attach any role to the
instances, which means it's never possible to add one once the instances
are up & running.
Having a simple role equivalent to admin (* on * essentially) would empower
users to modify that role at a later point in time.
For example, in the context of Kubernetes, this would allow instances to
create ELB endpoints.
Or, in other use cases, having access to an S3 bucket would help doing
backup without requiring credentials.
Both feature though work well in clouds and do not map very well to MAAS /
Manual provider, so there is a risk of creating discrepancies in
experience.
SSH access can eventually be managed also via a lambda or simple cron
reacting to new instances that have the juju tags, and mapping security
rules to that (so different models could have different rules)
This is not true of instance role though.
Thoughts on that one James?
++
Sam
--
Samuel Cozannet
Cloud, Big Data and IoT Strategy Team
Business Development - Cloud and ISV Ecosystem
Changing the Future of Cloud
Ubuntu <http://ubuntu.com> / Canonical UK LTD <http://canonical.com> / Juju
<https://jujucharms.com>
samuel.cozannet at canonical.com
mob: +33 616 702 389
skype: samnco
Twitter: @SaMnCo_23
[image: View Samuel Cozannet's profile on LinkedIn]
<https://es.linkedin.com/in/scozannet>
On Fri, Jan 27, 2017 at 6:33 PM, James Beedy <jamesbeedy at gmail.com> wrote:
> A default SG rule generated for every model allows 22 from 0.0.0.0/0, I'm
> guessing this is because we are trying to facilitate the use case for juju
> deployed on a public cloud, and instances being ssh accessed from the
> internet and not from behind VPN in the same address space.
>
> A functionality which would allow users who don't want ssh open to the
> world to close it, either completely, or limit to a private address space,
> would be very helpful (especially because Juju reverts any changes made to
> the SG, so I couldn't even lock down port 22 if I wanted to).
>
> Is it possible to introduce a model config param that we could use to tell
> juju where to allow ssh traffic from?
>
> Quick fix: Introduce an 'ssh-allow' param that could be used to open and
> close port 22 on the SG generated for the model?
>
> Better fix: Introduce a config param 'ssh-access', where default value is
> 0.0.0.0/0, which could then be modified to an address space that fits the
> users security needs.
>
> How do others feel about this?
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/juju
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20170127/6c7cf5fc/attachment.html>
More information about the Juju
mailing list