fix: allow only credhub and uaa for apps #434
Conversation
Removes the internal security group that allows apps to communicate to the k8s service and pod IP ranges. Instead, create internal security groups allowing apps to communicate with credhub and UAA only. Co-authored-by: Mark Yen <mark.yen@suse.com>
| value: /var/vcap/packages/cf-cli-6-linux/bin | ||
| - name: CF_API | ||
| value: https://api.((system_domain)) | ||
| - name: CF_USERNAME |
There was a problem hiding this comment.
This should be done with a client credential instead (so if the admin ever changes the password restarting the job won't be a problem).
| - name: CF_CLI_PATH | ||
| value: /var/vcap/packages/cf-cli-6-linux/bin | ||
| - name: CF_API | ||
| value: https://api.((system_domain)) |
There was a problem hiding this comment.
Should we be using the internal host name for CC for this? (Mostly thinking about things like "what if the external endpoint is behind a load balancer we can't reach from the inside", and "which SSL cert is that going to use")
There was a problem hiding this comment.
Hmm. I'll try to connect to the internal hostname and load the CA cert to be able to remove --skip-ssl-validation from the cf api command.
deploy/helm/kubecf/assets/scripts/jobs/cf-cli-6-linux/setup_internal_security_group.sh
Outdated
Show resolved
Hide resolved
| sleep 1 | ||
| done | ||
|
|
||
| cf api --skip-ssl-validation "${CF_API}" |
There was a problem hiding this comment.
Can we do anything to avoid the --skip-ssl-validation?
There was a problem hiding this comment.
+1, we can't leave insecure in
also --silent is a bad idea
There was a problem hiding this comment.
@viovanov I guess the --silent is regarding the curl command. That command will be triggered multiple times, and we don't want it to spam logs.
For the --skip-ssl-validation, I have a plan for it that ties with the comment above about using the internal hostname.
| sleep 1 | ||
| done | ||
|
|
||
| cf api --skip-ssl-validation "${CF_API}" |
There was a problem hiding this comment.
+1, we can't leave insecure in
also --silent is a bad idea
Co-Authored-By: Mark Yen <3977982+mook-as@users.noreply.github.com>
…ec-group fix: allow only credhub and uaa for apps
Description
Removes the internal security group that allows apps to communicate to the k8s service and pod IP ranges. Instead, create internal security groups allowing apps to communicate with credhub and UAA only.
Motivation and Context
We currently have some internal app security group stuff for CredHub (from #281); this requires the administrator to set
kube.service_cluster_ip_rangeandkube.pod_cluster_ip_rangein their helm values. This is unwieldy and error-prone; we should instead auto-detect the appropriate values and set the application security groups from code.This fixes #304.
How Has This Been Tested?
Manually, running CATS and asserting that the credhub suite pass.
Types of changes
Checklist: