https://prefect.io logo
t

Tim Wright

02/18/2022, 8:48 PM
Hey everyone. Prefect Cloud user here. I know that in Prefect Cloud our actual code stays on our systems - and that our agent (in this case, a K8s agent in AKS) polls prefect cloud to determine when to run a flow (and with what parameters it should run). I was wondering if there are any ways to prevent/limit malicious users from executing in our infrastructure if an api key with deployment permissions was accidentally compromised? Is there anything we can do within the agent (or elsewhere) to prevent a bad actor from registering a flow with Prefect Cloud that could then get picked up by our agent?
k

Kevin Kho

02/18/2022, 8:56 PM
I think you are imagining somehow limiting the IP of machines that can register Flows so that even if the API key is compromised, we could reject new flows from being created from other places?
t

Tim Wright

02/18/2022, 9:47 PM
Yeah - that would do it. Is that a feature? Can we whitelist IPs that are able to access/register within Prefect Cloud?
k

Kevin Kho

02/18/2022, 10:05 PM
Not a feature at the moment but with Orion (Prefect 2.0), you can host it in your infrastructure that could control those connections.
t

Tim Wright

02/18/2022, 10:31 PM
Ok. Thanks Kevin
24 Views