[kwlug-disc] Saltstackgeddon
Mikalai Birukou
mb at 3nsoft.com
Wed May 6 16:16:50 EDT 2020
>> | The tl;dr is that if your salt-master is accessible on the Internet
>> | (via the Salt port) then ALL of your minions are compromised.
>>
>> You mean it's not a good idea to leave your management systems
>> open to everyone on the internet?
More reasons to have someone talk about WireGuard!
May be we should have it as admin commandments, thou shall put all
inner-cluster traffic into VPN.
This reminds me of "don't put IPMI/BMC on the Internet" story of 10
years ago. You can say with IPMI/BMC minion has open ports, but if we
zoom out, it is a story about cluster-controlling traffic. (reminder,
IPMI == physical access === root).
More information about the kwlug-disc
mailing list