Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't expose services via load balancers publicly by default. Take the chart more towards "secure-by-default" direction #444

Open
lhotari opened this issue Jan 25, 2024 · 1 comment
Open

Don't expose services via load balancers publicly by default. Take the chart more towards "secure-by-default" direction #444

lhotari opened this issue Jan 25, 2024 · 1 comment

Comments

@lhotari
Copy link
Member

lhotari commented Jan 25, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

Don't expose services via load balancers publicly by default. Take the chart more towards "secure-by-default" direction

The current defaults for the Helm chart aren't "secure-by-default".
There's no authentication in the Helm chart by default and public load balancers are used by default in a deployment to Google Cloud GKE, Azure AKS or AWS EKS.

Describe the solution you'd like

No services should have type: LoadBalancer by default to mitigate the problem. No ingress should be enabled by default.

The current services that are type: LoadBalancer should be related by type: ClusterIP. A user that wants a load balancer can change the configuration.

Describe alternatives you've considered

By default, load balancers should have annotations that make them internal on GKE, AKS and EKS so that the risk of a lazy user exposing a cluster publicly could be reduced.

  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    networking.gke.io/load-balancer-type: "Internal"

Additional context

In addition, the README should have a disclaimer that exposing Pulsar on the public internet is not recommended at all.
@lhotari lhotari changed the title Take the chart more towards "secure-by-default" direction Don't expose services via load balancers publicly by default. Take the chart more towards "secure-by-default" direction Jan 25, 2024
@lhotari lhotari mentioned this issue Jan 25, 2024
Merged
1 task
@lhotari lhotari mentioned this issue Feb 14, 2024
Merged
1 task
@lhotari
Copy link
Member Author

lhotari commented Feb 29, 2024
edited
Loading

The Pulsar Proxy documentation contains a disclaimer regarding security:
https://pulsar.apache.org/docs/3.1.x/administration-proxy/

The Pulsar proxy is not intended to be exposed on the public internet. The security considerations in the current design
expect network perimeter security. The requirement of network perimeter security can be achieved with private networks.

As noted in the Pulsar Proxy docs, the current design expects network perimeter security.
If someone ignores this advice, the minimal approach would be to use loadBalancerSourceRanges to limit access to a specific IP or IP range. That is not optimal, but possibly acceptable in some use cases. The user of the Apache Pulsar Helm chart is always fully responsible of how they configure their solution. That helm chart is not secure-by-default and it results in an unsafe deployment by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lhotari