8f164873e0
## Why Allow the operator's workstation and router to query the bind-authoritative servers directly. Their source addresses are outside the existing `auth-acl-main` client subnets, so named returns REFUSED to them today. The router sits on 198.18.21.0/24 which is not in the ACL at all. ## Changes - Add `10.10.12.200/32` (workstation, over wireguard) to `auth-acl-main` - Add `198.18.21.160/32` (router) to `auth-acl-main` ## Note This grants query permission only. Reaching the LoadBalancer VIP (198.18.200.6) from off-datacenter paths is separately gated by `externalTrafficPolicy: Local`; the workstation-over-wireguard path still needs its L4 routing addressed to actually land on a node with a ready endpoint. Reviewed-on: #258 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
30 lines
875 B
YAML
30 lines
875 B
YAML
---
|
|
# Internal client networks allowed to query the authoritative servers,
|
|
# mirrored from the puppet authoritative /etc/named/acls.conf
|
|
# (acl-main.unkin.net). Named auth-acl-main because the resolver has its own,
|
|
# differently-scoped acl-main.unkin.net in the same namespace.
|
|
apiVersion: bind.unkin.net/v1alpha1
|
|
kind: BindACL
|
|
metadata:
|
|
name: auth-acl-main
|
|
namespace: bind-internal
|
|
spec:
|
|
clusterRef: bind-authoritative
|
|
entries:
|
|
- 198.18.13.0/24
|
|
- 198.18.14.0/24
|
|
- 198.18.15.0/24
|
|
- 198.18.16.0/24
|
|
- 198.18.17.0/24
|
|
- 198.18.19.0/24
|
|
- 198.18.20.0/24
|
|
- 198.18.24.0/24
|
|
- 198.18.25.0/24
|
|
- 198.18.26.0/24
|
|
- 198.18.27.0/24
|
|
- 198.18.28.0/24
|
|
- 198.18.29.0/24
|
|
# Admin/management access (individual hosts, not whole subnets)
|
|
- 10.10.12.200/32 # benvin workstation (wireguard)
|
|
- 198.18.21.160/32 # benvin router
|