website/docs/getting-started-guides/ubuntu/security.md

---
title: Security Considerations
---

{% capture overview %}
This page explains the security considerations of a deployed cluster and production recommendations.
{% endcapture %}
{% capture prerequisites %}
This page assumes you have a working Juju deployed cluster.
{% endcapture %}

By default all connections between every provided node is secured via TLS by easyrsa, including the etcd cluster. 

## Implementation

The TLS and easyrsa implementations use the following [layers](https://jujucharms.com/docs/2.0/developer-layers). 

[layer-tls-client](https://github.com/juju-solutions/layer-tls-client)
[layer-easyrsa](https://github.com/juju-solutions/layer-easyrsa)

{% capture steps %}
## Limiting ssh access

By default the administrator can ssh to any deployed node in a cluster. You can mass disable ssh access to the cluster nodes by issuing the following command.

    juju model-config proxy-ssh=true

Note: The Juju controller node will still have open ssh access in your cloud, and will be used as a jump host in this case.

Refer to the [model management](https://jujucharms.com/docs/2.0/models) page in the Juju documentation for instructions on how to manage ssh keys.
{% endcapture %}

{% include templates/task.md %}
Restructure the Ubuntu Getting Started Section. - This supercedes PR #1770 - This breaks up the section from one huge installation page into: - A new index page. - New support grid with commercial and community support options. - Move to lifecycle-based pages based on operational tasks. - Add support for local deployments via LXD. - Added screenshots to images/docs/ubuntu - Add backup page. - Add decommissioning page. - Add a glossary of terms page. - Rewritten installation page. - Add logging page. - Add monitoring page. - Add networking page, flannel only for now, calico in progress. - Add a scaling page. - Add a security page. - Add a storage page. - Add a troubleshooting page. - Add an upgrade page. - Add a cluster validation page. - Add new ubuntu content to the index page. - Add Ubuntu to _data TOC. - Add warning about choosing ipv6 with LXD, thanks Ed Baluf. - Template-ize all the pages per jaredb's review. 2016-11-30 21:59:07 +00:00			`---`
Fix titles. 2017-01-11 01:55:43 +00:00			`title: Security Considerations`
Restructure the Ubuntu Getting Started Section. - This supercedes PR #1770 - This breaks up the section from one huge installation page into: - A new index page. - New support grid with commercial and community support options. - Move to lifecycle-based pages based on operational tasks. - Add support for local deployments via LXD. - Added screenshots to images/docs/ubuntu - Add backup page. - Add decommissioning page. - Add a glossary of terms page. - Rewritten installation page. - Add logging page. - Add monitoring page. - Add networking page, flannel only for now, calico in progress. - Add a scaling page. - Add a security page. - Add a storage page. - Add a troubleshooting page. - Add an upgrade page. - Add a cluster validation page. - Add new ubuntu content to the index page. - Add Ubuntu to _data TOC. - Add warning about choosing ipv6 with LXD, thanks Ed Baluf. - Template-ize all the pages per jaredb's review. 2016-11-30 21:59:07 +00:00			`---`

			`{% capture overview %}`
			`This page explains the security considerations of a deployed cluster and production recommendations.`
			`{% endcapture %}`
			`{% capture prerequisites %}`
			`This page assumes you have a working Juju deployed cluster.`
			`{% endcapture %}`

			`By default all connections between every provided node is secured via TLS by easyrsa, including the etcd cluster.`

			`## Implementation`

			`The TLS and easyrsa implementations use the following [layers](https://jujucharms.com/docs/2.0/developer-layers).`

			`[layer-tls-client](https://github.com/juju-solutions/layer-tls-client)`
			`[layer-easyrsa](https://github.com/juju-solutions/layer-easyrsa)`

			`{% capture steps %}`
			`## Limiting ssh access`

			`By default the administrator can ssh to any deployed node in a cluster. You can mass disable ssh access to the cluster nodes by issuing the following command.`

			`juju model-config proxy-ssh=true`

			`Note: The Juju controller node will still have open ssh access in your cloud, and will be used as a jump host in this case.`

			`Refer to the [model management](https://jujucharms.com/docs/2.0/models) page in the Juju documentation for instructions on how to manage ssh keys.`
			`{% endcapture %}`

			`{% include templates/task.md %}`