Create scs-XXXX-v1-default-rules-for-security-groups.md #525
Conversation
First draft of standard for default security group rules Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
josephineSei
requested review from
horazont,
artificial-intelligence and
markus-hentsch
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
fix typos Co-authored-by: Sven <kieske@osism.tech> Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Create Test for the default security group rules Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
fix typos and adjust some wording Co-authored-by: Markus Hentsch <129268441+markus-hentsch@users.noreply.github.com> Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Add example on how to create a rule only for custom security groups Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
|
While trying some of the parameters of the create command for default security groups I found the following: I thought when only providing the This is a Client-specific behavior, as the default for the |
|
I talked to upstream and found a bug report for this and a patch, which already fixes this behavior. My chat with the Neutron guys made come cores approve this patch and it will be merged :D |
remove example in favor of the guide in docs: SovereignCloudStack/docs#167 Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
We will do this as soon as we can merge it. But right now, when there is still discussion, we might use a number that then is already taken by another standard. |
…ult security groups. Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
This will only allow ingress traffic from the same SG for the default security groups. Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
|
@markus-hentsch , @horazont could you please review and @markus-hentsch test this standard? Thank you |
| Until the 2023.1 release (antelope) the default Security Group rules are hardcoded in the OpenStack code. | ||
| We should require to not change this behavior through code changes in deployments. | ||
|
|
||
| Beginning with the 2023.2 release (bobcat) the default Security Group rules can now be edited by administrators through an API. | ||
| All rules that should be present as default in Security Groups MUST be configured by admins through this API. |
There was a problem hiding this comment.
Please discuss in the design considerations the two options:
- Mandate that admins set a specific set of rules
- Mandate that users should always explicitly set security groups
Elaborate the trade-offs and motivate the eventual choice.
There was a problem hiding this comment.
I have done a discussion on this, please review it and tell, if it is what you suggested
| The whitelisting concept of Security Group rules makes it hard to allow traffic with an exception of certain ports. | ||
| It would be possible to just define many rules to achieve what a blacklist would achieve. | ||
| This has the severe downside that users could be confused by these rules and will not disable unnecessary default rules in their SGs. |
There was a problem hiding this comment.
It is not clear to me what this discussion contributes to the standard for default rules. Please motivate it (e.g. if there was discussion to have a default ruleset which allows most stuff but blocks often-abused services like NFS/rpcbind, DNS etc., then please add that information).
There was a problem hiding this comment.
I rephrased the sentence.
| This can be achieved through having ingress rules in the default Security Group rules that allow ingress traffic from the Remote Security Group "PARENT" but are only used in the default Security Group. | ||
|
|
||
| The default Security Group rules for ALL Security Groups SHOULD allow egress Traffic for both IPv4 and IPv6. | ||
| This standard does not forbid to also disallow all outgoing traffic making the existence of egress rules OPTIONAL. |
There was a problem hiding this comment.
"This standard does not forbid to also disallow all outgoing traffic making the existence of egress rules OPTIONAL."
I don't understand this sentence fully. Could you please elaborate what is the intent behind this interop statement?
There was a problem hiding this comment.
I removed this sentence, it is unnessecary.
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
|
|
||
| The rules of a Security Group can be edited by default by any user with the member role within a project. | ||
| But when a Security Group is created it automatically incorporates a few SG rules that are configured as default rules. | ||
| Since the 2023.2 release, this set of default rules can be adjusted by administrators only[^1][^2]. |
There was a problem hiding this comment.
That now makes it sound as if previous releases allowed everyone to edit the default rules.
Suggestion:
Since the 2023.2 release, the default set of security group rules can be adjusted. This functionality is only available to administrators.
| OpenStacks default rules for security groups already provide a good baseline for port security, because they allow all egress traffic and for the default security group only ingress traffic from the same group. | ||
| Allowing more rules would not benefit the security level, while reducing or limiting the existing rules would barely improve it. | ||
| Nevertheless a standard could hold up the current security level against possible future release with more open default rules. | ||
| Changing the default rules will not change the rules any existing security groups. |
There was a problem hiding this comment.
Formatting nitpick: I suggest to use paragraph breaks here (empty lines), to make this more readable in the rendered version. I.e.:
1. There could be a set of […].
OpenStack default rules […].
Allowing more rules […].
Nevertheless a standard could uphold […].
Changing the default rules […].
| 2. With the already strict OpenStack default rules users are required in most use cases to create and manage their own security groups. | ||
| This has the benefit that users need to explicitly think about the port security of their VMs and may be less likely to apply security groups which rules open up more ports than needed. | ||
| There is also a guide from the SCS on how to set up a security group that also focuses on having a good port security[^3]. |
| The requirement to not change the default code of earlier OpenStack releases is difficult to test. | ||
| It should be considered to only apply this standard onto versions of OpenStack that implement the new endpoint for the default Security Group rules, which would only include 2023.2 or higher releases. |
There was a problem hiding this comment.
This isn't really an open question, is it?
Code changes are unnecessary because, AFAICT, the setup the standard describes is identical to the setup already provided by stock OpenStack.
| The allowlisting concept of Security Group rules makes it hard to allow traffic with an exception of certain ports. | ||
| It would be possible to just define many rules to achieve what a blocklist would achieve. | ||
| But having many rules may confuse users and they may not disable unnecessary default rules in their SGs. |
There was a problem hiding this comment.
What is the open question here?
There was a problem hiding this comment.
I rephrased the abtract, to better represent these annotations.
| It is possible to have different default Security Group rules for the default SG and custom SGs. | ||
| And it is arguable to have a more strict standard for default rules for the default Security Group than for the custom Security Groups. | ||
| Because the latter ones are not automatically applied to a VM but are always edited by the users to apply to their requirements. |
There was a problem hiding this comment.
What is the open question here?
There was a problem hiding this comment.
I rephrased the abtract, to better represent these annotations.
|
|
||
| ## Conformance Tests | ||
|
|
||
| The conformance tests should check for the absence of any ingress traffic rules in the `openstack security group rule list`. |
There was a problem hiding this comment.
The conformance test should also create a new security group and check that, too.
There was a problem hiding this comment.
What would be the improvement of this? The default security group rules are the ones used to create the rules in security groups. Testing both would not test the standard but would test for bugs in the openstack code applying the default rules to the security groups.
PLUS: to test this through creating security groups, it would also be necessary to create a new project, to have a brand new default security group. We should be able to test everything as non-admin users.
| ## Conformance Tests | ||
|
|
||
| The conformance tests should check for the absence of any ingress traffic rules in the `openstack security group rule list`. | ||
| As having egress rules is allowed by this standard, but not forced and can be set in various ways, there will not be any tests for such rules. |
There was a problem hiding this comment.
The standard explicitly says that egress SHOULD be allowed for both v4 and v6, so that should IMO be tested.
There was a problem hiding this comment.
It's the default setting in Openstack. I'm not sure what we are gaining by testing it.
There was a problem hiding this comment.
It's the default setting in Openstack. I'm not sure what we are gaining by testing it.
Does the SCS mandate somewhere that CSPs may not deviate from OpenStack default settings unless SCS standards specify it?
If not, then I think the proposal is completely valid that we check a CSP has not changed this specific setting from its default (which would in turn violate the standard).
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
Signed-off-by: josephineSei <128813814+josephineSei@users.noreply.github.com>
|
Re-raising this: @markus-hentsch and @horazont I adjusted the tests and the Wording. Could you please review this again? |
closes #521