34 lines
1.2 KiB
Markdown
34 lines
1.2 KiB
Markdown
---
|
|
title: Security Considerations
|
|
---
|
|
|
|
{% capture overview %}
|
|
This page explains the security considerations of a deployed cluster and production recommendations.
|
|
{% endcapture %}
|
|
{% capture prerequisites %}
|
|
This page assumes you have a working Juju deployed cluster.
|
|
{% endcapture %}
|
|
|
|
By default all connections between every provided node is secured via TLS by easyrsa, including the etcd cluster.
|
|
|
|
## Implementation
|
|
|
|
The TLS and easyrsa implementations use the following [layers](https://jujucharms.com/docs/2.0/developer-layers).
|
|
|
|
[layer-tls-client](https://github.com/juju-solutions/layer-tls-client)
|
|
[layer-easyrsa](https://github.com/juju-solutions/layer-easyrsa)
|
|
|
|
{% capture steps %}
|
|
## Limiting ssh access
|
|
|
|
By default the administrator can ssh to any deployed node in a cluster. You can mass disable ssh access to the cluster nodes by issuing the following command.
|
|
|
|
juju model-config proxy-ssh=true
|
|
|
|
Note: The Juju controller node will still have open ssh access in your cloud, and will be used as a jump host in this case.
|
|
|
|
Refer to the [model management](https://jujucharms.com/docs/2.0/models) page in the Juju documentation for instructions on how to manage ssh keys.
|
|
{% endcapture %}
|
|
|
|
{% include templates/task.md %}
|