Uploaded image for project: 'National Data Service'
  1. National Data Service
  2. NDS-561

Ansible deployment puts loadbalancer into a fully open security group

    XMLWordPrintableJSON

Details

    • Bug
    • Resolution: Fixed
    • Normal
    • None
    • None
    • Infrastructure
    • None
    • NDS Sprint 18

    Description

      Our Ansible deployment currently creates a security group on Nebula called "k8s_loadbalancer" which allows ingress and egress for all traffic to all IPs on all ports. This is likely way too open for what we need.

      With the addition of TLS being deployed on each new cluster, we can likely restrict this to only allow traffic through port 443. Previously, we have been allowing only port 80 and port 443, and adding the Kubernetes / Docker NodePort ranges when necessary during development. I think we can all agree that with ingress and Chisel, we no longer need to expose the Kubernetes NodePort range. We may need to discuss whether and how we plan to expose the Docker NodePorts, if at all (for example, the Clowder ToolServer).

      This ticket is complete when new clusters deployed via Ansible expose as few ports as possible while still allowing NDS Labs to fulfill all current use cases.

      Gliffy Diagrams

        Attachments

          Issue Links

            Activity

              People

                lambert8 Sara Lambert
                lambert8 Sara Lambert
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Time Tracking

                    Estimated:
                    Original Estimate - 2 hours
                    2h
                    Remaining:
                    Remaining Estimate - 2 hours
                    2h
                    Logged:
                    Time Spent - Not Specified
                    Not Specified

                    Tasks