From 8f164873e0e744d719bf130243330f15c8e78dd1 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 16 Jul 2026 22:56:22 +1000 Subject: [PATCH] bind-internal: allow admin workstation + router to query authoritative (#258) ## Why Allow the operator's workstation and router to query the bind-authoritative servers directly. Their source addresses are outside the existing `auth-acl-main` client subnets, so named returns REFUSED to them today. The router sits on 198.18.21.0/24 which is not in the ACL at all. ## Changes - Add `10.10.12.200/32` (workstation, over wireguard) to `auth-acl-main` - Add `198.18.21.160/32` (router) to `auth-acl-main` ## Note This grants query permission only. Reaching the LoadBalancer VIP (198.18.200.6) from off-datacenter paths is separately gated by `externalTrafficPolicy: Local`; the workstation-over-wireguard path still needs its L4 routing addressed to actually land on a node with a ready endpoint. Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/258 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- apps/base/bind-internal/authoritative/acls.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/base/bind-internal/authoritative/acls.yaml b/apps/base/bind-internal/authoritative/acls.yaml index d042b2a..009884f 100644 --- a/apps/base/bind-internal/authoritative/acls.yaml +++ b/apps/base/bind-internal/authoritative/acls.yaml @@ -24,3 +24,6 @@ spec: - 198.18.27.0/24 - 198.18.28.0/24 - 198.18.29.0/24 + # Admin/management access (individual hosts, not whole subnets) + - 10.10.12.200/32 # benvin workstation (wireguard) + - 198.18.21.160/32 # benvin router