OpenShift UPI (User-Provisioned Infrastructure) offers flexibility and control, but with that comes the responsibility of securing the underlying services. In this post, we’ll walk through practical steps to lock down common services—DNS, HTTP, NFS, and SSL—to mitigate known vulnerabilities and improve your cluster’s security posture.
🔐 DNS Server Hardening
DNS is often overlooked, but it can be a rich source of information leakage and attack vectors. Here are four common DNS-related vulnerabilities and how to mitigate them:
1. Cache Snooping – Remote Information Disclosure
Attackers can infer what domains have been queried by your server.
2. Recursive Query – Cache Poisoning Weakness
Unrestricted recursion can allow attackers to poison your DNS cache.
3. Spoofed Request – Amplification DDoS
Open DNS resolvers can be abused for DDoS amplification attacks.
4. Zone Transfer – Information Disclosure (AXFR)
Misconfigured zone transfers can leak internal DNS data.
✅ Mitigation Script
Use the following script to lock down named (BIND) and restrict access to trusted nodes only:
# Backup
cp /etc/named.conf /etc/named.conf-$(date +%s)
# Remove bad includes
if [[ $(grep -c "include /" /etc/named.conf) -eq 1 ]]; then
grep -v -F -e "include /" /etc/named.conf > /etc/named.conf-temp
cat /etc/named.conf-temp > /etc/named.conf
fi
# Add trusted include if missing
if [[ $(grep -c 'include "/etc/named-trusted.conf";' /etc/named.conf) -eq 0 ]]; then
echo 'include "/etc/named-trusted.conf";' >> /etc/named.conf
fi
# Build trusted ACL
echo 'acl "trusted" {' > /etc/named-trusted.conf
export KUBECONFIG=/root/openstack-upi/auth/kubeconfig
for IP in $(oc get nodes -o wide --no-headers | awk '{print $6}'); do
echo " ${IP}/32;" >> /etc/named-trusted.conf
done
echo " localhost;" >> /etc/named-trusted.conf
echo " localnets;" >> /etc/named-trusted.conf
echo "};" >> /etc/named-trusted.conf
🔧 Insert into named.conf after recursion yes;:
allow-recursion { trusted; };
allow-query-cache { trusted; };
request-ixfr no;
allow-transfer { none; };
Then restart named to apply changes.
🚫 HTTP TRACE / TRACK Methods
TRACE and TRACK methods are legacy HTTP features that can be exploited for cross-site tracing (XST) attacks.
✅ Disable TRACE / TRACK
Create /etc/httpd/conf.d/disable-track-trace.conf:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Restart Apache:
systemctl restart httpd
📁 NFS Shares – World Readable Risk
Exposing NFS shares to the world can lead to unauthorized access and data leakage.
✅ Lock NFS to Cluster Nodes
echo "[NFS Exports Lock Down Started]"
export KUBECONFIG=/root/openstack-upi/auth/kubeconfig
cp /etc/exports /etc/exports-$(date +%s)
echo "" > /etc/exports
for IP in $(oc get nodes -o wide --no-headers | awk '{print $6}'); do
echo "/export ${IP}(rw,sync,no_root_squash,no_all_squash)" >> /etc/exports
done
echo "/export 127.0.0.1(rw,sync,no_root_squash,no_all_squash)" >> /etc/exports
exportfs -r
🔐 SSL Certificates – CLI Access Challenges
Managing SSL certificates for CLI access can be tricky, especially during updates.
✅ Recommendations
- Use the Ingress Node Firewall Operator to restrict access to sensitive ports.
- Monitor and rotate certificates regularly.
- Validate CLI certificate chains and ensure proper trust anchors are configured.
Final Thoughts
Security in OpenShift UPI is not just about firewalls and RBAC—it’s about hardening every layer of the stack. By locking down DNS, HTTP, NFS, and SSL, you reduce your attack surface and protect your infrastructure from common threats.