Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-24474

Standalone clusters should bind to localhost by default

    XMLWordPrintableJSON

Details

    • Hide
      For security purposes standalone clusters now bind the REST API and RPC endpoints to localhost by default. The goal is to prevent cases where users unknowingly exposed the cluster to the outside, as they would previously bind to all interfaces.

      This can be reverted by removing the 'rest.bind-address'/'[jobmanager|taskmanager].bind-host' settings from the flink-conf.yaml .

      Note that within docker containers the REST API still binds to 0.0.0.0 .
      Show
      For security purposes standalone clusters now bind the REST API and RPC endpoints to localhost by default. The goal is to prevent cases where users unknowingly exposed the cluster to the outside, as they would previously bind to all interfaces. This can be reverted by removing the 'rest.bind-address'/'[jobmanager|taskmanager].bind-host' settings from the flink-conf.yaml . Note that within docker containers the REST API still binds to 0.0.0.0 .

    Description

      By default the REST endpoints bind to 0.0.0.0.

      This is fine for docker use-cases as it simplifies the setup and the API isn't reachable unless the user explicitly enables that via docker.

      However, for standalone clusters this is a different story, and it is currently too easy for users to accidentally expose their clusters to the outside world.

      We should set the bind address by default to localhost, and change the docker-scripts to set this to 0.0.0.0 .

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. FLINK-27118 Flink on Yarned failed with the default flink-conf

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. FLINK-27341 TaskManager running together with JobManager are bind to 127.0.0.1

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. FLINK-29572 Flink Task Manager skip loopback interface for resource manager registration

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. FLINK-21383 Docker image does not play well together with ConfigMap based flink-conf.yamls

          • Not a Priority -
          • Open
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. FLINK-26468 Test default binding to localhost

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed
          links to

          Web Link GitHub Pull Request #102

          Web Link GitHub Pull Request #103

          Web Link GitHub Pull Request #107

          Web Link GitHub Pull Request #18678

          Web Link GitHub Pull Request #18721

          Web Link GitHub Pull Request #18932

          Activity

            People

              nsemmler Niklas Semmler
              chesnay Chesnay Schepler
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: