Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-24474

Standalone clusters should bind to localhost by default

    XMLWordPrintableJSON

Details

    • Hide
      For security purposes standalone clusters now bind the REST API and RPC endpoints to localhost by default. The goal is to prevent cases where users unknowingly exposed the cluster to the outside, as they would previously bind to all interfaces.

      This can be reverted by removing the 'rest.bind-address'/'[jobmanager|taskmanager].bind-host' settings from the flink-conf.yaml .

      Note that within docker containers the REST API still binds to 0.0.0.0 .
      Show
      For security purposes standalone clusters now bind the REST API and RPC endpoints to localhost by default. The goal is to prevent cases where users unknowingly exposed the cluster to the outside, as they would previously bind to all interfaces. This can be reverted by removing the 'rest.bind-address'/'[jobmanager|taskmanager].bind-host' settings from the flink-conf.yaml . Note that within docker containers the REST API still binds to 0.0.0.0 .

    Description

      By default the REST endpoints bind to 0.0.0.0.

      This is fine for docker use-cases as it simplifies the setup and the API isn't reachable unless the user explicitly enables that via docker.

      However, for standalone clusters this is a different story, and it is currently too easy for users to accidentally expose their clusters to the outside world.

      We should set the bind address by default to localhost, and change the docker-scripts to set this to 0.0.0.0 .

      Attachments

        Issue Links

          Activity

            People

              nsemmler Niklas Semmler
              chesnay Chesnay Schepler
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: