Uploaded image for project: 'National Data Service'
  1. National Data Service
  2. NDS-561

Ansible deployment puts loadbalancer into a fully open security group


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Normal Normal
    • None
    • None
    • Infrastructure
    • None
    • NDS Sprint 18

      Our Ansible deployment currently creates a security group on Nebula called "k8s_loadbalancer" which allows ingress and egress for all traffic to all IPs on all ports. This is likely way too open for what we need.

      With the addition of TLS being deployed on each new cluster, we can likely restrict this to only allow traffic through port 443. Previously, we have been allowing only port 80 and port 443, and adding the Kubernetes / Docker NodePort ranges when necessary during development. I think we can all agree that with ingress and Chisel, we no longer need to expose the Kubernetes NodePort range. We may need to discuss whether and how we plan to expose the Docker NodePorts, if at all (for example, the Clowder ToolServer).

      This ticket is complete when new clusters deployed via Ansible expose as few ports as possible while still allowing NDS Labs to fulfill all current use cases.

              lambert8 Sara Lambert
              lambert8 Sara Lambert
              0 Vote for this issue
              1 Start watching this issue


                  Original Estimate - 2 hours
                  Remaining Estimate - 2 hours
                  Time Spent - Not Specified
                  Not Specified