autoscaling icon indicating copy to clipboard operation
autoscaling copied to clipboard

Published 20 hours ago verified publisher icon neondatabase

Epic: Further network hardening

Open sharnoff opened this issue 1 year ago • 0 comments

User stories

As a follow-up to #413, we should also generally make sure that if a hypothetical attacker did have access to our network, they'd have a hard time messing with our systems.

Realistically, there's more important areas of security work to get to first. For now, this epic exists to write down the ideas somewhere to make sure they're tracked. Some of the pieces here are actually quite difficult to set up.

DoD

  • All connections between autoscaling components are authenticated.

This is part 2 of 2, for security-related improvements for autoscaling & NeonVM. Part 1 is here.

Contributing Epics & tasks

- [ ] Access to VM's QEMU should be restricted to neonvm-controller
- [ ] neondatabase/security#29
- [ ] Scheduler plugin should authenticate autoscaler-agent connections
- [ ] plugin + agent "dump state" and pprof endpoints should be authenticated
- [ ] agent -> monitor connections should be authenticated by monitor

Related Projects and Epics

  • https://github.com/neondatabase/neon_roadmap/issues/122
  • #413

sharnoff avatar Jul 15 '23 17:07 sharnoff