Skip to content

fix(dra): restrict external usbip access#2571

Open
yaroslavborbat wants to merge 1 commit into
mainfrom
fix/dra/protect-usbip-access
Open

fix(dra): restrict external usbip access#2571
yaroslavborbat wants to merge 1 commit into
mainfrom
fix/dra/protect-usbip-access

Conversation

@yaroslavborbat

@yaroslavborbat yaroslavborbat commented Jul 1, 2026

Copy link
Copy Markdown
Member

Description

Added a CiliumClusterwideNetworkPolicy for virtualization-dra USB/IP gateway nodes. The policy denies access to the USB/IP port from outside the cluster and from cluster nodes that are not marked as USB gateway nodes.

Why do we need it, and what problem does it solve?

USB/IP runs on the node network and exposes the USB/IP daemon port on node interfaces. Without network restrictions, a publicly reachable node interface could expose shared USB devices to unauthorized consumers.

What is the expected result?

The USB/IP daemon port is reachable only from cluster nodes marked as USB gateway nodes. External traffic and traffic from non-gateway cluster nodes is denied by Cilium host policy.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: module
type: fix
summary: "Restricted unauthorized access to the virtualization USB/IP gateway port."

Signed-off-by: Yaroslav Borbat <yaroslav.borbat@flant.com>
@yaroslavborbat yaroslavborbat requested a review from Isteb4k as a code owner July 1, 2026 16:07
@yaroslavborbat yaroslavborbat added this to the v1.10.0 milestone Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant