-
Notifications
You must be signed in to change notification settings - Fork 42
Node SSH security group enhance #248
Comments
/kind/enhancement |
Please leave the ticket un-assignee. I will check with @jfortin-sap |
@tedteng I guess we are using 0.0.0.0/22 because we cannot determine the IP of the gardenctl client host. Maybe we can use the public IP gathered from "http://ifconfig.co"? |
Take AWS as an example, SSH local => Bastion => Cluster Host node Bastion security group already change to only allow Public IP access now. but on Cluster Host node which is port 22 and 0.0.0.0/0 I suggest on the Cluster host node, we can use Bastion internal IP instead of 0.0.0.0/0. |
@tedteng I agree, working on it |
/assign |
Describe the bug
Current, The Bastion Server only allows user's Public IP to access now. shoot-node create security group open port 22 0.0.0.0/0 to allow Bastion Server access when using
gardenctl ssh
.However, the SSH security group may remain in shoot-node when
gardenctl ssh
unexpected exit. which means no restriction to access shoot-node.What about use Internal IP of Bastion Server instead of 22 0.0.0.0/0 in SSH security group of shoot-node to minimize the security risk
GCP/AZ/AWS
The text was updated successfully, but these errors were encountered: