Hi,
without describing your threat analysis, there is little we can suggest.
Depending on its contents, it might be enough to leverage(sic!) the
existing ACL controls, confining each agent to certname specific
locations or you'd have to have completely separate masters to avoid a
central exploitation.
Best Regards, David
On 26.09.2012 10:14, Alex Harvey wrote:
Hi all,
I am interested to hear from anyone who might have deployed Puppet in a
large organisation with a lot of subnets firewalled off from each other.
I am considering to have, if possible, a 'master' Puppet Master
controlling 'client' Puppet Masters that live on the firewalled
subnets. I would like to allow the client Puppet Masters communicate
with the master Puppet Master only for the purpose of obtaining their
manifests for the local subnet. The Master Puppet Master in turn would
talk to a single git/code server. Then of course all the Puppet clients
on each subnet would only know about the local Puppet Masters.
Has anyone done this before or have any advice on whether or not this is
a good idea?
Best wishes,
Alex Harvey
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
