garloff
commented
2 years ago Maybe a value of "null" should be supported, allowing ONLY the automatically added ranges (NODE_CIDR and mgmt node FIP).
Closed garloff closed 1 year ago
garloff
commented
2 years ago Maybe a value of "null" should be supported, allowing ONLY the automatically added ranges (NODE_CIDR and mgmt node FIP).
garloff
commented
2 years ago This would be implemented in the loadbalancer listener settings in front of kubeapi:
openstack loadbalancer listener set --allowed-cidr 10.0.0.0/8 --allowed-cidr 172.16.0.0/12 --allowed-cidr 192.168.0.0/16 --allowed-cidr MGMTHOSTI/32
Of course we could also allow our own range of outgoing (NATted) IP addresses.
Plus anything the customer wants.
garloff
commented
2 years ago Is relevant and should be addressed.
Currently, the load balancer in front of the kube-apiserver (:6443) allows connections from everywhere, so you can manage the created workload k8s cluster from anywhere (if you have a kubeconfig with the right certificate). This has some downsides:
The idea is that we introduce a new parameter, allowing the use to specify an array of IP ranges (CIDRs). Default would be 0/0, as today. If a range different from 0/0 is specified, the implementation would need to add the NODE_CIDR range to it (so cluster-internal connections to the API work) as well as the FIPs of the management cluster[*], so the kubectl connections from it work.
[*] Should we allow the IPs used for SNAT of outgoing connections from this cloud provider? This would ensure access even in case of changes in the management cluster ... On the other hand, any evil party with an account on this cloud could again talk to the API server again and "only" be protected by not having the needed client cert. If a user really cares to not want 0/0 access, I would assume that we should be restrictive here, so my weak opinion on this is "no".