Edit This Page

Security Considerations

By default all connections between every provided node are secured via TLS by easyrsa, including the etcd cluster.

This page explains the security considerations of a deployed cluster and production recommendations.

Before you begin

This page assumes you have a working Juju deployed cluster.


The TLS and easyrsa implementations use the following layers.

layer-tls-client layer-easyrsa

Limiting ssh access

By default the administrator can ssh to any deployed node in a cluster. You can mass disable ssh access to the cluster nodes by issuing the following command.

juju model-config proxy-ssh=true

Note: The Juju controller node will still have open ssh access in your cloud, and will be used as a jump host in this case.

Refer to the model management page in the Juju documentation for instructions on how to manage ssh keys.