Insecure default load balancer

[abh]

I was surprised to find that a minimal ClickHouseInstallation setup an external LoadBalancer service to a cluster with no authentication (or TLS).

I see in a previous closed issue that this is "as expected". I have a hard time reconciling this with Altinity being the "enterprise Clickhouse".

(related to #817, #455)

[alex-zaitsev]

Hi Ask,

Glad to know you are looking into our operator! This is an open source project that allows maximum flexibility. The production configuration pretty much depends on the target Kubernetes environment.

The default configuration is secured by hostRegexp rules -- default ClickHouse user can only be used between the cluster nodes. For other ClickHouse users network mask should be explicitly defined, otherwise hostRegexp rules are applied as well.

We could also make LoadBalancer secure by default, but it would be very hard for newcomers, and simple installations would not work at all. In particular, it would require:

• Configure ClickHouse properly, that includes providing certificates, keys etc. to ClickHouse server.
• Provide the proper annotations to service template that are provider specific (different for AWS and Google for example).

Also, sometimes users may want to terminate SSL on the cloud load balancer itself.

But your question motivates me to write an article on how to run ClickHouse in Kubernetes securely.

Cheers, Alexander

[gauravphoenix]

At the very least, please do document with a prominent warning that the installation uses a default hardcoded password and it must be changed.

Ideally, the installation should randomly generate a password and use it in k8s secret and the documentation can just point to how to retrieve the password using kubectl get secrets... command

too many compromises on Elasticsearch, Hadoop, Redis have happened due to insecure defaults.

[BartekH]

@alex-zaitsev Just out of curiosity, have you managed to create such article or is it still on your TODO list? :)

[alex-zaitsev]

@BartekH , not yet. We are working on some operator features to improve default security, and that would be a good opportunity to describe best practices.

[BartekH]

@alex-zaitsev Can you provide me any link, so I can track it?

[cortopy]

I'm also not keep on having a LoadBalancer service created by default. How can it be removed from templates? Even after setting serviceTemplates in ClickHouseInstallation the LoadBalancer service is still created

[Slach]

@cortopy after setup chi.spec.templates.serviceTemplates[] you also need reference to this template name in chi.spec.defaults.templates.serviceTemplate

[cortopy]

that worked! thank you so much @Slach