On 2017-10-04 10:47:02 +0100 (+0100), Luke Hinds wrote: [...] > The recommendation is not to use metadata for security sensitive > data (its possible to spoof by setting a X-Forwarded header), > please see the following OpenStack Security Note on the topic: > > https://wiki.openstack.org/wiki/OSSN/OSSN-0074
Well, it's possible as long as the environment is badly designed/configured: you deployed nova to expect a proxy, but then gave guest instances a way to reach the metadata API without going through that proxy. So while it's definitely a risk to be aware of, it come pretty close to the need Sean mentions for "solid network security on the path between your guests and your nova-API." -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
