[kuryr] Job running open resolver
James E. Blair
corvus at inaugust.com
Tue Mar 3 16:04:28 UTC 2020
Hi,
The openstack-infra team received a report from one of our
infrastructure donors that a gate job run by Kuryr is running a DNS
resolver open to the Internet. This is dangerous as, if discovered, it
can be used as part of DNS reflection attacks. The community and our
infrastructure donors share an interest in avoiding misuse of our
resources.
Would you please look into whether this job is perhaps opening its
iptables ports too liberally, and whether that can be avoided?
The job is kuryr-kubernetes-tempest-containerized-ovn, and the build
which triggered the alerting system is this one:
https://zuul.opendev.org/t/openstack/build/166301f57b21402d8d8443bb1e17f970
Thanks,
Jim
More information about the openstack-discuss
mailing list