A security scan identified a risk (v2/keys-v2/members) that needs to be addressed. How should this be handled?

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: 信息安全扫描出了个风险(v2/keys-v2/members),需要整改,请问这个改如何操作?

| username: LBX流鼻血

[TiDB Usage Environment] Production Environment / Testing / PoC
[TiDB Version] 4.0.6
An information security scan found a risk (v2/keys-v2/members) that needs to be addressed. How should this be handled?
K8S etcd interface unauthorized access
http://xx.xx.xx.xx:2379/v2/keys
http://xx.xx.xx.xx:2379/v2/members
Leaking the keys and member access addresses of all K8S nodes.

If these two interfaces are directly closed, will it cause the entire cluster to be unavailable?

The /v2/keys interface is used to obtain key-value pair information in the TiKV cluster. Through this interface, you can obtain all the key-value pair information stored in the TiKV cluster, including table metadata information, index information, data distribution information, etc. This interface can help you understand the overall status and data distribution of the TiKV cluster for optimization and adjustment.

The /v2/members interface is used to obtain member information of PD nodes. Through this interface, you can obtain the member list, member status, member roles, etc., of PD nodes. This interface can help you understand the overall status and member roles of PD nodes for troubleshooting and cluster management.

| username: cassblanca | Original post link

Shutting down port 2379 would cause significant issues. Simply stopping the interface should not be a big problem.

| username: 像风一样的男子 | Original post link

The firewall setting for port 2379 should only allow access from specified subnet servers and not be open to the outside for maximum security.

| username: Fly-bird | Original post link

Give a thumbs up to the man like the wind, it’s fine if others can’t access it.

| username: system | Original post link

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.