How is the ceph cluster I can set up with Promox secured?

May 21, 2020
54
14
13
36
Proxmox allows easy creation of a ceph cluster.

However, ceph has quite a few components that talk to each other (don't remember which exactly as I don't quite remember the architecture completely)

All these components need to talk to each other, some also over the network.

It is not clear to me how Proxmox secures these components so that someone who might be able to gain access to a switchport on my network cannot intrude into my ceph storage or sniff packets.

Could you please write a WIKI article about how Proxmox secures the ceph cluster?


Thank you :)
 
To quickly address your question, the CEPH cluster network, which handles object replication and recovery traffic, should be on a separate network that is not reachable from a public network or the internet. This is done both for performance and security purposes.
https://docs.ceph.com/docs/mimic/rados/configuration/network-config-ref/

Furthermore, CEPH's public network should also be located on a restricted network.
This leaves just the server/client link with any kind of public exposure. With this in mind, I guess the PVE Firewall documentation would be a good place to start on how the nodes themselves are secured on the network:
https://pve.proxmox.com/wiki/Firewall#pve_firewall_default_rules
 
It is not clear to me how Proxmox secures these components so that someone who might be able to gain access to a switchport on my network cannot intrude into my ceph storage or sniff packets.
I'd argue, if someone can physically access your switch, Ceph traffic security is the least of your worries. This person can easily pull off live data from other nodes.

As security is a process, you best start of with the Ceph architecture guide. And as @harry700 said, look into our documentation.
https://docs.ceph.com/docs/nautilus/architecture/
https://pve.proxmox.com/pve-docs/pve-admin-guide.html