Open lhotari opened 8 months ago
The Pulsar Proxy documentation contains a disclaimer regarding security: https://pulsar.apache.org/docs/3.1.x/administration-proxy/
The Pulsar proxy is not intended to be exposed on the public internet. The security considerations in the current design expect network perimeter security. The requirement of network perimeter security can be achieved with private networks.
As noted in the Pulsar Proxy docs, the current design expects network perimeter security.
If someone ignores this advice, the minimal approach would be to use loadBalancerSourceRanges
to limit access to a specific IP or IP range. That is not optimal, but possibly acceptable in some use cases. The user of the Apache Pulsar Helm chart is always fully responsible of how they configure their solution. That helm chart is not secure-by-default and it results in an unsafe deployment by default.
Is your feature request related to a problem? Please describe.
Don't expose services via load balancers publicly by default. Take the chart more towards "secure-by-default" direction
The current defaults for the Helm chart aren't "secure-by-default". There's no authentication in the Helm chart by default and public load balancers are used by default in a deployment to Google Cloud GKE, Azure AKS or AWS EKS.
Describe the solution you'd like
No services should have
type: LoadBalancer
by default to mitigate the problem. No ingress should be enabled by default.The current services that are
type: LoadBalancer
should be related bytype: ClusterIP
. A user that wants a load balancer can change the configuration.Describe alternatives you've considered
By default, load balancers should have annotations that make them internal on GKE, AKS and EKS so that the risk of a lazy user exposing a cluster publicly could be reduced.
Additional context
In addition, the README should have a disclaimer that exposing Pulsar on the public internet is not recommended at all.