We are checking firewall options at proxmox ve 4.X in order to give clients control on rules. We create for our clients a PVEVMUser user and give them rights to their kvm. Mainly for Console and Start-Stop.
In Datacenter lever we use plenty IPSet lists and Security Groups.
In order for firewall to work we may use the default PVEVMAdministrators or a new custom level with VM.Config.Network access.
Why datacenter options for IPset and SecGroups are exposed to PVEVMAdministrators?
Testing with even lower privileges we see that a PVEVMUser cannot save rules (ok) but can see firewall button in gui and browse IPsets also.
Firewall> Add Rule > Source and gets list of IPsets with dropdown
Firewall > Insert: Security Group> Security group and gets list of Groups with dropdown
Is this the expected behavior?
Am i missing something in the firewall concept? I hoped that users have total isolation to xxx.fw rules only at kvm level.
In Datacenter lever we use plenty IPSet lists and Security Groups.
In order for firewall to work we may use the default PVEVMAdministrators or a new custom level with VM.Config.Network access.
Why datacenter options for IPset and SecGroups are exposed to PVEVMAdministrators?
Testing with even lower privileges we see that a PVEVMUser cannot save rules (ok) but can see firewall button in gui and browse IPsets also.
Firewall> Add Rule > Source and gets list of IPsets with dropdown
Firewall > Insert: Security Group> Security group and gets list of Groups with dropdown
Is this the expected behavior?
Am i missing something in the firewall concept? I hoped that users have total isolation to xxx.fw rules only at kvm level.
