Project A-owned port can be on Project B network - bug or feature?

asked 2016-05-16 12:28:56 -0500

Matt G gravatar image

If a user (e.g. "admin") is a member of multiple projects, that user can create a port in one project that attaches to the network of another project in which they are a member. This results in the ability to directly connect to a VM in another project as shown in this diagram, where VM-A and VM-B can ping each other via the same subnet:

image description

Used carefully, this may be a desirable feature, but it could also be considered a vulnerability (e.g. a careless admin copy/pastes the wrong network ID and bridges two completely different customers' networks).

I'm working on a project that could make use of this "feature", but I want to check if this is intended behaviour that will stick around, or if it's a bug that might be fixed in the future. Any insights greatly appreciated.

edit retag flag offensive close merge delete