search

pingcap / tidb-operator

TiDB operator creates and manages TiDB clusters running in Kubernetes.
https://docs.pingcap.com/tidb-in-kubernetes/
Apache License 2.0
1.22k stars 493 forks source link

Enable Source Range IP settings on Service Loadbalancers #2097

Closed RobbyKK closed 4 years ago

RobbyKK commented 4 years ago

Feature Request

Is your feature request related to a problem? Please describe: There are security concerns in Security Groups created by TiDB and Grafana Service LoadBalancers where by default it creates a 0.0.0.0/0 inbound rule. These ingress/inbound rules should instead be limited to allowed access only

Describe the feature you'd like: Enable Limiting of Source IP Ranges in Service LoadBalancers(spec.loadBalancerSourceRanges) https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support

Describe alternatives you've considered: We can directly edit Kubernetes Services but that can be overwritten anytime. Enabling this would enable better config management.

Teachability, Documentation, Adoption, Migration Strategy: If this is enabled user will only have to set the allowed access ips here: https://github.com/pingcap/tidb-operator/blob/v1.0.6/deploy/modules/aws/tidb-cluster/values/default.yaml#L10

DanielZhangQD commented 4 years ago

@RobbyKK Thanks for reporting this issue! Would you please help submit PR for the fix?

DanielZhangQD commented 4 years ago

close this via https://github.com/pingcap/tidb-operator/pull/2610