mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 07:29:38 -05:00
cilium: don't allow remote node identities
The Cilium strict mode has a special mode which loosens the security a slight bit. For compatability this mode is enabled by default. But we don't need it for strict node-to-node encryption. Therefore, we disable it.
This commit is contained in:
parent
e8840d5fdc
commit
1972b635b4
@ -45,7 +45,6 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
|
||||
strictMode := map[string]any{}
|
||||
if provider != cloudprovider.QEMU {
|
||||
strictMode = map[string]any{
|
||||
"enabled": true,
|
||||
"nodeCIDRList": []string{output.IPCidrNode},
|
||||
}
|
||||
}
|
||||
|
@ -20,8 +20,9 @@ var ciliumVals = map[string]map[string]any{
|
||||
"type": "wireguard",
|
||||
"nodeEncryption": true,
|
||||
"strictMode": map[string]any{
|
||||
"enabled": true,
|
||||
"podCIDRList": []string{"10.244.0.0/16"},
|
||||
"enabled": true,
|
||||
"allowRemoteNodeIdentities": false,
|
||||
"podCIDRList": []string{"10.244.0.0/16"},
|
||||
},
|
||||
},
|
||||
"l7Proxy": false,
|
||||
@ -62,8 +63,9 @@ var ciliumVals = map[string]map[string]any{
|
||||
"type": "wireguard",
|
||||
"nodeEncryption": true,
|
||||
"strictMode": map[string]any{
|
||||
"enabled": true,
|
||||
"podCIDRList": []string{"10.244.0.0/16"},
|
||||
"enabled": true,
|
||||
"allowRemoteNodeIdentities": false,
|
||||
"podCIDRList": []string{"10.244.0.0/16"},
|
||||
},
|
||||
},
|
||||
"l7Proxy": false,
|
||||
@ -107,7 +109,8 @@ var ciliumVals = map[string]map[string]any{
|
||||
"type": "wireguard",
|
||||
"nodeEncryption": true,
|
||||
"strictMode": map[string]any{
|
||||
"enabled": true,
|
||||
"enabled": true,
|
||||
"allowRemoteNodeIdentities": false,
|
||||
},
|
||||
},
|
||||
"image": map[string]any{
|
||||
|
Loading…
Reference in New Issue
Block a user