mirror of
https://github.com/ChristianLight/tutor.git
synced 2024-12-13 14:43:03 +00:00
security: convert NodePort to ClusterIP for better isolation
On some providers (notably: DigitalOcean) NodePort services are not exposed to the outside world. But this is not what the Kubernetes spec describes: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types Thus, there is a risk that NodePort services are exposed to the outside world in some context. To avoid this, we convert all NodePort to ClusterIP resources.
This commit is contained in:
Régis Behmo
Régis Behmo
parent
db818ab4a1
commit
7c1e85ef4b
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
Note: Breaking changes between versions are indicated by "💥".
|
Note: Breaking changes between versions are indicated by "💥".
|
||||||
|
|
||||||
|
- [Security] On Kubernetes, convert all NodePort services to ClusterIP to guarantee network isolation from outside the cluster.
|
||||||
- 💥[Improvement] Drop Python 3.5 compatibility.
|
- 💥[Improvement] Drop Python 3.5 compatibility.
|
||||||
- [Bugfix] Fix docker-compose project name in development on nightly branch.
|
- [Bugfix] Fix docker-compose project name in development on nightly branch.
|
||||||
- 💥[Bugfix] No longer track the Tutor version number in resource labels (and label selectors, which breaks the update of Deployment resources), but instead do so in resource annotations.
|
- 💥[Bugfix] No longer track the Tutor version number in resource labels (and label selectors, which breaks the update of Deployment resources), but instead do so in resource annotations.
|
||||||
|
|||||||
@ -21,7 +21,7 @@ kind: Service
|
|||||||
metadata:
|
metadata:
|
||||||
name: cms
|
name: cms
|
||||||
spec:
|
spec:
|
||||||
type: NodePort
|
type: ClusterIP
|
||||||
ports:
|
ports:
|
||||||
- port: 8000
|
- port: 8000
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
@ -35,7 +35,7 @@ kind: Service
|
|||||||
metadata:
|
metadata:
|
||||||
name: lms
|
name: lms
|
||||||
spec:
|
spec:
|
||||||
type: NodePort
|
type: ClusterIP
|
||||||
ports:
|
ports:
|
||||||
- port: 8000
|
- port: 8000
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
@ -49,7 +49,7 @@ kind: Service
|
|||||||
metadata:
|
metadata:
|
||||||
name: elasticsearch
|
name: elasticsearch
|
||||||
spec:
|
spec:
|
||||||
type: NodePort
|
type: ClusterIP
|
||||||
ports:
|
ports:
|
||||||
- port: 9200
|
- port: 9200
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
@ -63,7 +63,7 @@ kind: Service
|
|||||||
metadata:
|
metadata:
|
||||||
name: mongodb
|
name: mongodb
|
||||||
spec:
|
spec:
|
||||||
type: NodePort
|
type: ClusterIP
|
||||||
ports:
|
ports:
|
||||||
- port: 27017
|
- port: 27017
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
@ -77,7 +77,7 @@ kind: Service
|
|||||||
metadata:
|
metadata:
|
||||||
name: mysql
|
name: mysql
|
||||||
spec:
|
spec:
|
||||||
type: NodePort
|
type: ClusterIP
|
||||||
ports:
|
ports:
|
||||||
- port: 3306
|
- port: 3306
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
@ -91,7 +91,7 @@ kind: Service
|
|||||||
metadata:
|
metadata:
|
||||||
name: redis
|
name: redis
|
||||||
spec:
|
spec:
|
||||||
type: NodePort
|
type: ClusterIP
|
||||||
ports:
|
ports:
|
||||||
- port: {{ REDIS_PORT }}
|
- port: {{ REDIS_PORT }}
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
@ -105,7 +105,7 @@ kind: Service
|
|||||||
metadata:
|
metadata:
|
||||||
name: smtp
|
name: smtp
|
||||||
spec:
|
spec:
|
||||||
type: NodePort
|
type: ClusterIP
|
||||||
ports:
|
ports:
|
||||||
- port: 8025
|
- port: 8025
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user