bind-internal: allow admin workstation + router to query authoritative #258

Merged
benvin merged 1 commits from benvin/bind-acl-admin-access into main 2026-07-16 22:56:22 +10:00
Owner

Why

Allow the operator's workstation and router to query the bind-authoritative servers directly. Their source addresses are outside the existing auth-acl-main client subnets, so named returns REFUSED to them today. The router sits on 198.18.21.0/24 which is not in the ACL at all.

Changes

  • Add 10.10.12.200/32 (workstation, over wireguard) to auth-acl-main
  • Add 198.18.21.160/32 (router) to auth-acl-main

Note

This grants query permission only. Reaching the LoadBalancer VIP (198.18.200.6) from off-datacenter paths is separately gated by externalTrafficPolicy: Local; the workstation-over-wireguard path still needs its L4 routing addressed to actually land on a node with a ready endpoint.

## Why Allow the operator's workstation and router to query the bind-authoritative servers directly. Their source addresses are outside the existing `auth-acl-main` client subnets, so named returns REFUSED to them today. The router sits on 198.18.21.0/24 which is not in the ACL at all. ## Changes - Add `10.10.12.200/32` (workstation, over wireguard) to `auth-acl-main` - Add `198.18.21.160/32` (router) to `auth-acl-main` ## Note This grants query permission only. Reaching the LoadBalancer VIP (198.18.200.6) from off-datacenter paths is separately gated by `externalTrafficPolicy: Local`; the workstation-over-wireguard path still needs its L4 routing addressed to actually land on a node with a ready endpoint.
unkinben added 1 commit 2026-07-16 22:51:23 +10:00
bind-internal: allow admin workstation + router to query authoritative
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
3a840b2d04
Adds two /32 host entries to auth-acl-main so the operator's workstation
(10.10.12.200, over wireguard) and router (198.18.21.160) can query the
bind-authoritative servers. The router's /24 (198.18.21.0/24) is not in the
ACL, so an explicit host entry is required.
benvin merged commit 8f164873e0 into main 2026-07-16 22:56:22 +10:00
benvin deleted branch benvin/bind-acl-admin-access 2026-07-16 22:56:22 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#258