Skip to content
This repository has been archived by the owner on Jul 25, 2022. It is now read-only.

Node SSH security group enhance #248

Closed
tedteng opened this issue Aug 6, 2020 · 7 comments · Fixed by #254
Closed

Node SSH security group enhance #248

tedteng opened this issue Aug 6, 2020 · 7 comments · Fixed by #254
Assignees
@jfortin-sap-zz
Labels
kind/enhancement Enhancement, improvement, extension

Comments

@tedteng
Copy link
Contributor

tedteng commented Aug 6, 2020
edited
Loading

Describe the bug
Current, The Bastion Server only allows user's Public IP to access now. shoot-node create security group open port 22 0.0.0.0/0 to allow Bastion Server access when using gardenctl ssh.

However, the SSH security group may remain in shoot-node when gardenctl ssh unexpected exit. which means no restriction to access shoot-node.

What about use Internal IP of Bastion Server instead of 22 0.0.0.0/0 in SSH security group of shoot-node to minimize the security risk

GCP/AZ/AWS
@tedteng
Copy link
Contributor Author

tedteng commented Aug 6, 2020

/kind/enhancement

@gardener-robot gardener-robot added the kind/enhancement Enhancement, improvement, extension label Aug 6, 2020
@tedteng
Copy link
Contributor Author

tedteng commented Aug 6, 2020

Please leave the ticket un-assignee. I will check with @jfortin-sap

@jfortin-sap-zz
Copy link

@tedteng I guess we are using 0.0.0.0/22 because we cannot determine the IP of the gardenctl client host. Maybe we can use the public IP gathered from "http://ifconfig.co"?

@tedteng
Copy link
Contributor Author

tedteng commented Aug 10, 2020
edited
Loading

@tedteng I guess we are using 0.0.0.0/22 because we cannot determine the IP of the gardenctl client host. Maybe we can use the public IP gathered from "http://ifconfig.co"?

Take AWS as an example, SSH local => Bastion => Cluster Host node

Bastion security group already change to only allow Public IP access now.
https://github.com/gardener/gardenctl/blob/b7303bd65d5ac37c64c791e25f4fa4bf52eeaf90/pkg/cmd/ssh_aws.go#L179

but on Cluster Host node which is port 22 and 0.0.0.0/0
https://github.com/gardener/gardenctl/blob/b7303bd65d5ac37c64c791e25f4fa4bf52eeaf90/pkg/cmd/ssh_aws.go#L184

I suggest on the Cluster host node, we can use Bastion internal IP instead of 0.0.0.0/0.
In case resource leaking which left port 22 0.0.0.0/0 on the Cluster host node

@jfortin-sap-zz
Copy link

@tedteng I agree, working on it

@jfortin-sap-zz
Copy link

/assign

@jfortin-sap-zz jfortin-sap-zz mentioned this issue Aug 11, 2020
Merged
@jfortin-sap-zz
Copy link

@tedteng PR opened #254

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jfortin-sap-zz jfortin-sap-zz

Labels
kind/enhancement Enhancement, improvement, extension
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Limit SSH node security group to Bastion IP jfortin-sap-zz/gardenctl
3 participants
@tedteng @jfortin-sap-zz @gardener-robot