Our Ansible deployment currently creates a security group on Nebula called "k8s_loadbalancer" which allows ingress and egress for all traffic to all IPs on all ports. This is likely way too open for what we need.

With the addition of TLS being deployed on each new cluster, we can likely restrict this to only allow traffic through port 443. Previously, we have been allowing only port 80 and port 443, and adding the Kubernetes / Docker NodePort ranges when necessary during development. I think we can all agree that with ingress and Chisel, we no longer need to expose the Kubernetes NodePort range. We may need to discuss whether and how we plan to expose the Docker NodePorts, if at all (for example, the Clowder ToolServer).

This ticket is complete when new clusters deployed via Ansible expose as few ports as possible while still allowing NDS Labs to fulfill all current use cases.