I'm a bit confused about using Longhorn, especially regarding its security. I really want to love this tool since I've had some nice experiences with it. However, I've got a significant concern about the security of my setup. I read online that you can't easily add basic authentication to either the service or the pod itself. While I can add auth to the UI, if I expose the Longhorn API to my home network, an attacker could potentially access the backend directly if they've compromised my network. Am I misunderstanding how this works? Also, I'm curious if there are any alternatives to Longhorn that provide similar backup capabilities, especially to S3, which is my primary use case.
1 Answer
You shouldn’t expose Longhorn directly to the internet. Instead, keep it behind a firewall or a VPN. You can use a restrictive NetworkPolicy to only allow access from specific pods. Also, if you only expose the UI and keep the API as a ClusterIP, that could secure your backend without needing to expose it directly. If you're worried about accessing the API from outside the cluster, you can do kubectl port-forward to access it locally instead.
That sounds smart! I thought I had to expose everything for browser access, but I see now how I could work around it.