On July 27, 2016 at 3:18:01 AM, Noburou TANIGUCHI (dev(a)nota.m001.jp) wrote:

Hello,

Recently I've come across a counter-intuitive behavior of Application
Security Group.

I've been thinking that an ASG bound to a space is effective for both
staging and running time. However, it seemed effective only for running
time.

So I researched the source code of cloud_controller_ng and found those 2
sets of codes:

[1]
https://github.com/cloudfoundry/cloud_controller_ng/blob/01a473242f153bf7591966de08c2c8befdabcf94/lib/cloud_controller/dea/staging_message.rb#L56-L59
(for DEA)
[2]
https://github.com/cloudfoundry/cloud_controller_ng/blob/01a473242f153bf7591966de08c2c8befdabcf94/lib/cloud_controller/diego/egress_rules.rb#L4-L7
(for Diego)

Both of them seem using just the Default Staging Security Groups as staging
time security groups and ASGs bound to the space where the target
application is finally deployed to seem ignored.

So my questions are:

Q1: Is my understanding (ASGs bound to a space is effective only for
running
time) correct?
Q2: Why is this design adopted? (My guess is because an application does
not
belong to any space when staging. Right?)
Q3: Is there any plan to make ASGs bound to a space effecitve for staging?
Because loosening the Default Staging Security Groups increases opportunity
for malicious attackers, we want an option to narrow users who get benefit
from loosened Staging Security Groups.

Thanks in advance.



-----
I'm not a ...
noburou taniguchi
--
View this message in context:
http://cf-dev.70369.x6.nabble.com/Question-about-Application-Security-Group-behavior-tp5467.html
Sent from the CF Dev mailing list archive at Nabble.com.