Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update rancher-security-best-practices to address public IP exposure #1283

Open
martyav opened this issue May 13, 2024 · 0 comments · May be fixed by #1287
Open

Update rancher-security-best-practices to address public IP exposure #1283

martyav opened this issue May 13, 2024 · 0 comments · May be fixed by #1287
Assignees
@martyav

Comments

@martyav
Copy link
Contributor

martyav commented May 13, 2024

Related Issues

Summary

This is an internal request to update the Security Best Practices to point out a potential vulnerability in how IP addresses are exposed, and how to make exposure safer.

  • K3S: Leaks all nodes public IPs within the TLS certificate SANs used for port 6443.

  • RKE2: Leaks primary node public IP within the TLS certificate SANs used for port 6443. Leaks all nodes public IPs within the TLS certificate SANs used for port 9345 (supervisor).

If the supervisor and/or apiserver must be exposed, put them behind an external load-balancer with SSL offload enabled. Use of an external load-balancer is already documented as a requirement for provisioned k3s/rke2 clusters when using Authorized Cluster Endpoint.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martyav martyav

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#1283 update Rancher security best practices to address public IP exposure martyav/rancher-docs
1 participant
@martyav