Thanks for the advice Frode. Gav
On Tue, 20 Jun 2023 at 23:33, Frode Nordahl <frode.nord...@canonical.com> wrote: > Hello, Gavin, > > On Tue, Jun 20, 2023 at 10:55 PM Gavin McKee via discuss > <ovs-discuss@openvswitch.org> wrote: > > Is it possible to control who gets to write to OVN NB ? > > With the Southbound DB there is an OVN RBAC feature that may be used [0], > however no such feature currently exists for the Northbound DB. > > > I want to ensure that no hypervisor with ovn-nbctl can write > configuration into the North DB. Is there any approach I can use? > > With the lack of RBAC for NB DB there are a couple of other approaches that > could be used: > > 1. Set up a firewall on the units providing the NB DB, not allowing > connections from hypervisors. > > 2. Enable TLS/SSL and use a different certificate chain for NB and SB DBs. > When enabled, the ovsdb-server will verify the clients certificate and > refuse connections from those it cannot verify. > > 0: https://docs.ovn.org/en/latest/tutorials/ovn-rbac.html > > -- > Frode Nordahl > > > Gav > > _______________________________________________ > > discuss mailing list > > disc...@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
