diff --git a/CHANGELOG-nightly.md b/CHANGELOG-nightly.md index 665d430..d78f0e7 100644 --- a/CHANGELOG-nightly.md +++ b/CHANGELOG-nightly.md @@ -2,6 +2,7 @@ Note: Breaking changes between versions are indicated by "💥". +- [Security] On Kubernetes, convert all NodePort services to ClusterIP to guarantee network isolation from outside the cluster. - 💥[Improvement] Drop Python 3.5 compatibility. - [Bugfix] Fix docker-compose project name in development on nightly branch. - 💥[Bugfix] No longer track the Tutor version number in resource labels (and label selectors, which breaks the update of Deployment resources), but instead do so in resource annotations. diff --git a/tutor/templates/k8s/services.yml b/tutor/templates/k8s/services.yml index b768098..2e00b9b 100644 --- a/tutor/templates/k8s/services.yml +++ b/tutor/templates/k8s/services.yml @@ -21,7 +21,7 @@ kind: Service metadata: name: cms spec: - type: NodePort + type: ClusterIP ports: - port: 8000 protocol: TCP @@ -35,7 +35,7 @@ kind: Service metadata: name: lms spec: - type: NodePort + type: ClusterIP ports: - port: 8000 protocol: TCP @@ -49,7 +49,7 @@ kind: Service metadata: name: elasticsearch spec: - type: NodePort + type: ClusterIP ports: - port: 9200 protocol: TCP @@ -63,7 +63,7 @@ kind: Service metadata: name: mongodb spec: - type: NodePort + type: ClusterIP ports: - port: 27017 protocol: TCP @@ -77,7 +77,7 @@ kind: Service metadata: name: mysql spec: - type: NodePort + type: ClusterIP ports: - port: 3306 protocol: TCP @@ -91,7 +91,7 @@ kind: Service metadata: name: redis spec: - type: NodePort + type: ClusterIP ports: - port: {{ REDIS_PORT }} protocol: TCP @@ -105,7 +105,7 @@ kind: Service metadata: name: smtp spec: - type: NodePort + type: ClusterIP ports: - port: 8025 protocol: TCP