Restrict authoritative queries to internal networks
Mirrors the puppet authoritative master-zones view (match-clients
acl-main.unkin.net) using a global allow-query instead of a view, since
dynamic primary zones in a view would need per-view allow-new-zones.
- add auth-acl-main BindACL (the puppet acl-main.unkin.net networks)
- allow-query { auth-acl-main; 10.42.0.0/16; } on bind-authoritative
(pod net included so secondaries can SOA-refresh from the primary)
This commit is contained in:
@@ -0,0 +1,26 @@
|
||||
---
|
||||
# Internal client networks allowed to query the authoritative servers,
|
||||
# mirrored from the puppet authoritative /etc/named/acls.conf
|
||||
# (acl-main.unkin.net). Named auth-acl-main because the resolver has its own,
|
||||
# differently-scoped acl-main.unkin.net in the same namespace.
|
||||
apiVersion: bind.unkin.net/v1alpha1
|
||||
kind: BindACL
|
||||
metadata:
|
||||
name: auth-acl-main
|
||||
namespace: bind-internal
|
||||
spec:
|
||||
clusterRef: bind-authoritative
|
||||
entries:
|
||||
- 198.18.13.0/24
|
||||
- 198.18.14.0/24
|
||||
- 198.18.15.0/24
|
||||
- 198.18.16.0/24
|
||||
- 198.18.17.0/24
|
||||
- 198.18.19.0/24
|
||||
- 198.18.20.0/24
|
||||
- 198.18.24.0/24
|
||||
- 198.18.25.0/24
|
||||
- 198.18.26.0/24
|
||||
- 198.18.27.0/24
|
||||
- 198.18.28.0/24
|
||||
- 198.18.29.0/24
|
||||
@@ -11,6 +11,11 @@ spec:
|
||||
replicas: 3
|
||||
storageClassName: cephrbd-fast-delete
|
||||
storageSize: 2Gi
|
||||
# Restrict queries to internal networks (puppet acl-main.unkin.net).
|
||||
# 10.42.0.0/16 (pod net) is required so secondaries can SOA-refresh
|
||||
# from the primary during catalog replication.
|
||||
extraOptions:
|
||||
- "allow-query { auth-acl-main; 10.42.0.0/16; }"
|
||||
service:
|
||||
type: LoadBalancer
|
||||
annotations:
|
||||
|
||||
@@ -6,3 +6,4 @@ resources:
|
||||
- cluster.yaml
|
||||
- tsigkey.yaml
|
||||
- zones.yaml
|
||||
- acls.yaml
|
||||
|
||||
Reference in New Issue
Block a user