Bug 1377848

Summary: [DOCS] Provide clear recommendations for Provisioning network security
Product: Red Hat OpenStack Reporter: Dan Sneddon <dsneddon>
Component: documentationAssignee: RHOS Documentation Team <rhos-docs>
Status: CLOSED EOL QA Contact: RHOS Documentation Team <rhos-docs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: mburns, morazi, nlevinki, srevivo
Target Milestone: ---Keywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-07 09:34:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dan Sneddon 2016-09-20 18:41:46 UTC 
Description of problem:
The provisioning network that is shared by the Undercloud server and the overcloud nodes for PXE/TFTP is security-sensitive. Anyone who could get on this network to spoof DHCP/TFTP responses could theoretically boot an evil image on one of the overcloud nodes to gain further access. We should recommend access control lists (ACLs) on the router which provides access to the Provisioning network.

Version-Release number of selected component (if applicable):
All

Actual results:
Although this recommendation is made in the Network Reference Architecture, I couldn't find similar recommendations in the Official Installation Guide or the Network Architecture guide.

Expected results:
This network should be protected via an ACL, and recommendations should be made to encourage this.

Additional info:
Here is some sample text which could be used:

"In a standard deployment, the Undercloud server runs DHCP and TFTP services in order to PXE boot the Overcloud nodes. The TFTP protocol has no concept of
security, and the server may be a security risk if left exposed. The Provisioning network should be protected by an access control list (ACL) or otherwise secured in production deployments."

Furthermore, we may want to develop a list of ports which should be open:

* SSH (consider opening up only to administrative admin access)
* HTTPS port for Horizon access
* Public API ports (optionally Admin API in POC envs)

That way we can recommend a secure environment.

I will work on collecting the port list that would have to be open on the Undercloud, but perhaps we can add the recommendation above in the mean time.