When implementing this feature, the optional support for AUTHENTICATION using x509 client certificates should also be implemented.
Right now, the VNC port is both unencrypted and unauthenticated - anyone with network access to the compute node can connect to the VNC port and get console access. Even with encryption on, they can still do that just with an encrypted connection.
Authorization should be configured to ensure that only an authorized nova-cloud-controller novncproxy can connect to the nova-compute VNC port.
When implementing this feature, the optional support for AUTHENTICATION using x509 client certificates should also be implemented.
Right now, the VNC port is both unencrypted and unauthenticated - anyone with network access to the compute node can connect to the VNC port and get console access. Even with encryption on, they can still do that just with an encrypted connection.
Authorization should be configured to ensure that only an authorized nova-cloud- controller novncproxy can connect to the nova-compute VNC port.