Add option to restrict inbound connectivity to k8s (or all deployments)

[sebastian-luna-valero]

Hi,

The option to restrict inbound connectivity is available to deploy VMs:

However, it's not available when deploying k8s, which is desirable to restrict public access to the admin endpoints.

Would it be possible add this option?

In general it would be good to have this option available across all the templates so the end user can enable an additional security layer to protect the virtual infrastructure.

Best regards, Sebastian

[micafer]

Hi @sebastian-luna-valero,

This option is added in the TOSCA document. I can add it in the templates that you want.

[sebastian-luna-valero]

Many thanks, @micafer

Please add it to https://appsgrycap.i3m.upv.es:31443/im-dashboard/configure?selected_tosca=kubernetes.yaml first.

I will do a test and then propose a list for the rest of them.

[micafer]

Hi @sebastian-luna-valero,

Yo have it done in the devel instance: https://appsgrycap.i3m.upv.es:31443/im-dashboard-dev/configure?selected_tosca=kubernetes.yaml

Could you please test it?

[sebastian-luna-valero]

Thanks, @micafer

• With https://appsgrycap.i3m.upv.es:31443/im-dashboard-dev/configure?selected_tosca=kubernetes.yaml

Port 22 is still allowing connections from 0.0.0.0/0

• With https://appsgrycap.i3m.upv.es:31443/im-dashboard-dev/configure?selected_tosca=simple-node-disk.yml

I have the following cidr-22: produces Error creating infrastructure: Invalid value in property 'outports'. cidr-22,80: allow the creation of the VM but:

Port 80 is still allowing connections from 0.0.0.0/0

[sebastian-luna-valero]

Oh wait,

Restricting inbound connectivity for port 22 with cidr-22 will block the Ansible configuration done by IM?

[micafer]

Thanks, @micafer

• With https://appsgrycap.i3m.upv.es:31443/im-dashboard-dev/configure?selected_tosca=kubernetes.yaml

Port 22 is still allowing connections from 0.0.0.0/0

Yes it must be opened to allow IM service to configure it.

• With https://appsgrycap.i3m.upv.es:31443/im-dashboard-dev/configure?selected_tosca=simple-node-disk.yml

I have the following cidr-22: produces Error creating infrastructure: Invalid value in property 'outports'. cidr-22,80: allow the creation of the VM but:

Port 80 is still allowing connections from 0.0.0.0/0

I have tried: 8.8.0.0/24-22 and it worked for me. 8.8.0.0/24-443,8.8.0.0/24-80 use this format to open a set of ports with remote cidr.

[sebastian-luna-valero]

I see, thanks!

Ok, personally I mostly use these two templates for the time being:

• https://appsgrycap.i3m.upv.es:31443/im-dashboard/configure?selected_tosca=kubernetes.yaml
• https://appsgrycap.i3m.upv.es:31443/im-dashboard/configure?selected_tosca=simple-node-disk.yml

I don't want to give you extra work by adding this feature to more templates unless other people find it useful, so from my point of view, this is the change that I would like to see in the production instance of IM Dashboard.

Regarding SSH, I just had a random idea. Would it be a good idea that IM added its own cidr-22 automatically, in addition to the user's cidr-22?

[micafer]

Regarding SSH, I just had a random idea. Would it be a good idea that IM added its own cidr-22 automatically, in addition to the user's cidr-22?

Yes but it should be implemented at the level of the IM service. I have to think about it.

[sebastian-luna-valero]

Thanks, but in my opinion this is an "optional, nice to have" feature so do not include it in the top priority list of things to do.