You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "LI Zhennan (Jira)" <ji...@apache.org> on 2021/10/11 14:18:00 UTC
[jira] [Comment Edited] (FLINK-24503) Security: native kubernetes
exposes REST service via LoadBalancer in default
[ https://issues.apache.org/jira/browse/FLINK-24503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17427153#comment-17427153 ]
LI Zhennan edited comment on FLINK-24503 at 10/11/21, 2:17 PM:
---------------------------------------------------------------
Hi [~xtsong],
I am sorry to say I failed to agree with you.
In my mind, good out-of-box experience should provide sane default choice, maxmize functionality while minimizing surprise. Exposing an admin web service without access control to wild Internet does surprise me. Default config brings a security loophole while provides little functionality - if one fails or forgets to set it to `ClusterIP`, the web service always exposes to the world. For people who wants to access web UI, I don't think LoadBalancer helps, especially for production enviroment.
Changing default config has limited impact on backward compatibility, but improves security very much. I suggest state it clearly in changelog.
For perple trying out Flink on k8s, let's consider update the documentation, which is already fairly detailed on this topic: https://ci.apache.org/projects/flink/flink-docs-release-1.14/docs/deployment/resource-providers/native_kubernetes/#accessing-flinks-web-ui
Thanks for your timely reply.
I hope my suggestion helps.
Best regards.
was (Author: nanmu42):
Hi [~xtsong],
I am sorry to say I failed to agree with you.
In my mind, good out-of-box experience should provide sane default choice, maxmize functionality while minimizing surprise. Exposing an admin web service without access control to wild Internet does surprise me. Default config brings a security loophole while provides little functionality - if one fail/forget to set it to `ClusterIP`, the web service always exposes to the world. For people who wants to access web UI, I don't think LoadBalancer helps, especially for production enviroment.
Changing default config has limited impact on backward compatibility, but improves security very much. I suggest state it clearly in changelog.
For perple trying out Flink on k8s, let's consider update the documentation, which is already fairly detailed on this topic: https://ci.apache.org/projects/flink/flink-docs-release-1.14/docs/deployment/resource-providers/native_kubernetes/#accessing-flinks-web-ui
Thanks for your timely reply.
I hope my suggestion helps.
Best regards.
> Security: native kubernetes exposes REST service via LoadBalancer in default
> ----------------------------------------------------------------------------
>
> Key: FLINK-24503
> URL: https://issues.apache.org/jira/browse/FLINK-24503
> Project: Flink
> Issue Type: Improvement
> Components: Deployment / Kubernetes
> Affects Versions: 1.13.0, 1.14.0, 1.13.1, 1.13.2
> Environment: Flink 1.13.2, native kubernetes
> Reporter: LI Zhennan
> Priority: Major
> Labels: security
>
> Hi,
>
> Flink native k8s deployment exposes REST service via LoadBalancer in default: https://nightlies.apache.org/flink/flink-docs-release-1.14/docs/deployment/config/#kubernetes-rest-service-exposed-type
> I propose to consider it a security issue.
> It is very likely for users to unconciously expose their Flink REST service to the wild Internet, given they are deploying on a k8s cluster provided by cloud service like AWS or Google Cloud.
> Given access, anyone can browse and cancel Flink job on REST service.
> Personally I noticed this issue after my staging deployment went online for 2 days.
> Here, I propose to alter the default value to `ClusterIP`, so that:
> # the REST service is not exposed to Internet accidentally;
> # the developer can use `kubectl port-forward` to access the service in default;
> # the developer can still expose REST service via LoadBalancer by expressing it explicitly in `flink run-application` params.
> If it is okay, I would like to contribute the fix.
>
> Thank you.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)