Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict SSH access to cluster VMs #89

Merged
merged 1 commit into from
Feb 15, 2024
Merged

Restrict SSH access to cluster VMs #89

merged 1 commit into from
Feb 15, 2024

Conversation

simu
Copy link
Member

@simu simu commented Feb 15, 2024

We remove the SSH access from anywhere for the cluster VMs by updating the all_machines security group to only allow SSH from other machines in the all_machines security group.

This PR requires appuio/terraform-modules#51 in order to ensure that the LBs remain accessible from anywhere via SSH and can act as SSH jumphosts for SSH access to the cluster VMs.

Resolves #78

Checklist

  • Keep pull requests small so they can be easily reviewed.
  • Categorize the PR by setting a good title and adding one of the labels:
    bug, enhancement, documentation, change, breaking, dependency
    as they show up in the changelog
  • Link this PR to related issues.

@simu simu added the enhancement New feature or request label Feb 15, 2024
@simu
Restrict SSH access to cluster VMs
1762293 
We remove the SSH access from anywhere for the cluster VMs by updating
the `all_machines` security group to only allow SSH from other machines
in the `all_machines` security group.

This PR requires appuio/terraform-modules#51 in
order to ensure that the LBs remain accessible from anywhere via SSH and
can act as SSH jumphosts for SSH access to the cluster VMs.
@simu simu force-pushed the feat/restrict-ssh-to-cluster branch from 1ea56c8 to 1762293 Compare February 15, 2024 14:41
@simu
Copy link
Member Author

simu commented Feb 15, 2024
edited
Loading

We've upgraded terraform-modules/vshn-lbaas-exoscale to v6.0.0 (which includes appuio/terraform-modules#51) in #91

@simu simu marked this pull request as ready for review February 15, 2024 14:42
@simu simu requested a review from a team February 15, 2024 14:42
simu
simu commented Feb 15, 2024
View reviewed changes
security_groups.tf
start_port = "22"
end_port = "22"
cidr = "::/0"
user_security_group_id = exoscale_security_group.all_machines.id
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that when defining security group rules with another (or the same security group) as source there's no need for separate rules for IPv4 and IPv6.

@simu simu merged commit 1167e6c into master Feb 15, 2024
1 check passed
@simu simu deleted the feat/restrict-ssh-to-cluster branch February 15, 2024 15:14
@simu simu mentioned this pull request Feb 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haasad haasad haasad approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Restrict SSH access to cluster VMs
2 participants
@simu @haasad