[kuryr] Job running open resolver

James E. Blair corvus at inaugust.com
Tue Mar 3 16:04:28 UTC 2020


The openstack-infra team received a report from one of our
infrastructure donors that a gate job run by Kuryr is running a DNS
resolver open to the Internet.  This is dangerous as, if discovered, it
can be used as part of DNS reflection attacks.  The community and our
infrastructure donors share an interest in avoiding misuse of our

Would you please look into whether this job is perhaps opening its
iptables ports too liberally, and whether that can be avoided?

The job is kuryr-kubernetes-tempest-containerized-ovn, and the build
which triggered the alerting system is this one:




More information about the openstack-discuss mailing list