search

ministryofjustice / cloud-platform

Documentation on the MoJ cloud platform
MIT License
87 stars 44 forks source link

Feature request - centrally managed whitelists #941

Closed rossjones closed 4 years ago

rossjones commented 5 years ago

Service name

PVB + Offender-management

Service environment

Problem description

On the understanding that this is not currently available without significant effort and without getting into the pros and cons of whitelisting, I'd like to suggest a feature for consideration (eventually).

Currently all teams are responsible for managing their own whitelists, should they have a need to restrict network access to their services. In our case (and this is certainly anecdata) this means we have to whitelist quantum/prisons, moj and pingdom. Recent events had us scrambling around trying to update the whitelists on all of our services, and I suspect that others were in the same situation - luckily, we weren't live. Whilst it is relatively straight-forward to update and re-apply IP addresses it seems that it is not efficient for dozens of teams to have to do this, if it could be managed centrally, mitigating the impact of unexpected IP changes.

If there were a list of moj-cidr-addresses it would be much easier for us to whitelist based on a hypothetical key in that list which would take care of updating the whitelist on behalf of teams that need it. e.g. I'm just about to add 100 individual IPs (/32) to our whitelist in ingress, what I really want is for our whitelist to contain 'pingdom'. This would hopefully mean that the list could be managed centrally and:

Contact person

@rossjones

solidgoldpig commented 5 years ago

👍 (caveats about the awfulness of whitelists aside)

digitalronin commented 5 years ago

When I was here last time, we set up this repository as a central source of truth for MoJ IP addresses that need to be whitelisted. The intention was to have something centrally maintained, which all teams could use, rather than having to maintain their own whitelists. It seems to still be being maintained. @rossjones @solidgoldpig are you aware of this?

rossjones commented 5 years ago

Yes, I’m aware, but I don’t think it solves the problem I’m trying to request a fix for.

If I could whitelist based on the keys in that yaml file, and cloud platform took care of making sure the correct addresses were listed, I think it would be a lot more efficient than teams doing it themselves.