whites11
commented
2 years ago I put some thought on this. I don't have everything clear in my head yet, but I feel like a wireguard-based solution along the lines of tailscale is the way to go. We could drop bastion hosts completely and make all nodes become a part of the wireguard network (one network for each cluster + one for employees). For security reasons I don't think we can adopt a full mesh topology, but we still have to rely on a hun-and-spoke topology like we partially do now. The difference between our legacy setup and the one I'm proposing is that we would use the wireguard hub as jumphost for all nodes for both k8s API and SSH access.
We would need a wireguard "control plane" in order to make this work in a manageable way, but in all my research I didn't find any that would be ready to use for us. A list of some I've looked at:
- netmaker: open source and young. On paper feature complete for our needs, in practice I found a lot of rough edges that makes it not fully usable. Being a young startup, we could establish a cooperation and drive the project to our needs. Has a free and a paid version.
- tailscale: the free version does not have any concept of multiple networks and that is a blocker for us. I didn't find any details about multi networks support in the paid version. In terms of end user experience this is how I would like it to be for GS employees. Super easy to setup band uses oauth.
- netbird.io: another super young startup, the specs are listing all features we would need, but most of them are "coming soon". It's open source and similar considerations as I made for netmaker apply.
Happy to check out other alternatives if you know any.
I also thought for a second to implement a custom solution in-house but it's just too much work to make sense IMHO
alex-dabija
In case all installations are private (at least the management api and the workload cluster k8s endpoints). How do we connect to them? How do we connect to all nodes to have SSH access?