Restrict authoritative queries to internal networks (#227)
Mirrors the puppet authoritative `master-zones` view (match-clients `acl-main.unkin.net`, recursion no) — restricting who can query bind-authoritative.
## Changes
- add `auth-acl-main` BindACL with the puppet authoritative acl-main.unkin.net networks (13-17,19,20,24-29)
- `allow-query { auth-acl-main; 10.42.0.0/16; }` on bind-authoritative via extraOptions
## Notes
- Implemented as a global `allow-query` rather than a BindView: dynamic *primary* zones inside a view would need per-view `allow-new-zones` (an operator gap). Functionally equivalent for the single master-zones view.
- `10.42.0.0/16` (pod network) is included so secondaries can SOA-refresh from the primary during catalog replication — without it, replication breaks.
- Works on the current operator (no HOLD).
## Caveat
The DNS Services use externalTrafficPolicy: Cluster, which SNATs external clients to node IPs (198.18.19.x, already in acl-main), so this ACL doesn't truly restrict *external* clients yet. True source-IP restriction needs externalTrafficPolicy: Local — happy to switch if wanted.
Reviewed-on: #227
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
This commit was merged in pull request #227.
This commit is contained in:
@@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
# Internal client networks allowed to query the authoritative servers,
|
||||||
|
# mirrored from the puppet authoritative /etc/named/acls.conf
|
||||||
|
# (acl-main.unkin.net). Named auth-acl-main because the resolver has its own,
|
||||||
|
# differently-scoped acl-main.unkin.net in the same namespace.
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindACL
|
||||||
|
metadata:
|
||||||
|
name: auth-acl-main
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
entries:
|
||||||
|
- 198.18.13.0/24
|
||||||
|
- 198.18.14.0/24
|
||||||
|
- 198.18.15.0/24
|
||||||
|
- 198.18.16.0/24
|
||||||
|
- 198.18.17.0/24
|
||||||
|
- 198.18.19.0/24
|
||||||
|
- 198.18.20.0/24
|
||||||
|
- 198.18.24.0/24
|
||||||
|
- 198.18.25.0/24
|
||||||
|
- 198.18.26.0/24
|
||||||
|
- 198.18.27.0/24
|
||||||
|
- 198.18.28.0/24
|
||||||
|
- 198.18.29.0/24
|
||||||
@@ -11,6 +11,11 @@ spec:
|
|||||||
replicas: 3
|
replicas: 3
|
||||||
storageClassName: cephrbd-fast-delete
|
storageClassName: cephrbd-fast-delete
|
||||||
storageSize: 2Gi
|
storageSize: 2Gi
|
||||||
|
# Restrict queries to internal networks (puppet acl-main.unkin.net).
|
||||||
|
# 10.42.0.0/16 (pod net) is required so secondaries can SOA-refresh
|
||||||
|
# from the primary during catalog replication.
|
||||||
|
extraOptions:
|
||||||
|
- "allow-query { auth-acl-main; 10.42.0.0/16; }"
|
||||||
service:
|
service:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
annotations:
|
annotations:
|
||||||
|
|||||||
@@ -6,3 +6,4 @@ resources:
|
|||||||
- cluster.yaml
|
- cluster.yaml
|
||||||
- tsigkey.yaml
|
- tsigkey.yaml
|
||||||
- zones.yaml
|
- zones.yaml
|
||||||
|
- acls.yaml
|
||||||
|
|||||||
Reference in New Issue
Block a user