mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-03 19:58:17 +00:00
Merge pull request #27061 from Naddiseo/aws-ip-restrict-ssh-fixes-26661
Automatic merge from submit-queue kube-up: Allow IP restrictions for SSH and HTTPS API access on AWS. <!-- Checklist for submitting a Pull Request Please remove this comment block before submitting. 1. Please read our [contributor guidelines](https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md). 2. See our [developer guide](https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md). 3. If you want this PR to automatically close an issue when it is merged, add `fixes #<issue number>` or `fixes #<issue number>, fixes #<issue number>` to close multiple issues (see: https://github.com/blog/1506-closing-issues-via-pull-requests). 4. Follow the instructions for [labeling and writing a release note for this PR](https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes) in the block below. --> ```release-note ``` []() Closes #26661
This commit is contained in:
Kubernetes Submit Queue
@@ -89,6 +89,8 @@ NON_MASQUERADE_CIDR="${NON_MASQUERADE_CIDR:-10.0.0.0/8}" # Traffic to IPs outsid
|
|||||||
SERVICE_CLUSTER_IP_RANGE="${SERVICE_CLUSTER_IP_RANGE:-10.0.0.0/16}" # formerly PORTAL_NET
|
SERVICE_CLUSTER_IP_RANGE="${SERVICE_CLUSTER_IP_RANGE:-10.0.0.0/16}" # formerly PORTAL_NET
|
||||||
CLUSTER_IP_RANGE="${CLUSTER_IP_RANGE:-10.244.0.0/16}"
|
CLUSTER_IP_RANGE="${CLUSTER_IP_RANGE:-10.244.0.0/16}"
|
||||||
MASTER_IP_RANGE="${MASTER_IP_RANGE:-10.246.0.0/24}"
|
MASTER_IP_RANGE="${MASTER_IP_RANGE:-10.246.0.0/24}"
|
||||||
|
SSH_CIDR="${SSH_CIDR:-0.0.0.0/0}" # IP to restrict ssh access to nodes/master
|
||||||
|
HTTP_API_CIDR="${HTTP_API_CIDR:-0.0.0.0/0}" # IP to restrict HTTP API access
|
||||||
# If set to an Elastic IP address, the master instance will be associated with this IP.
|
# If set to an Elastic IP address, the master instance will be associated with this IP.
|
||||||
# Otherwise a new Elastic IP will be acquired
|
# Otherwise a new Elastic IP will be acquired
|
||||||
# (We used to accept 'auto' to mean 'allocate elastic ip', but that is now the default)
|
# (We used to accept 'auto' to mean 'allocate elastic ip', but that is now the default)
|
||||||
|
|||||||
@@ -931,14 +931,12 @@ function kube-up {
|
|||||||
authorize-security-group-ingress "${MASTER_SG_ID}" "--source-group ${NODE_SG_ID} --protocol all"
|
authorize-security-group-ingress "${MASTER_SG_ID}" "--source-group ${NODE_SG_ID} --protocol all"
|
||||||
authorize-security-group-ingress "${NODE_SG_ID}" "--source-group ${MASTER_SG_ID} --protocol all"
|
authorize-security-group-ingress "${NODE_SG_ID}" "--source-group ${MASTER_SG_ID} --protocol all"
|
||||||
|
|
||||||
# TODO(justinsb): Would be fairly easy to replace 0.0.0.0/0 in these rules
|
|
||||||
|
|
||||||
# SSH is open to the world
|
# SSH is open to the world
|
||||||
authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 22 --cidr 0.0.0.0/0"
|
authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 22 --cidr ${SSH_CIDR}"
|
||||||
authorize-security-group-ingress "${NODE_SG_ID}" "--protocol tcp --port 22 --cidr 0.0.0.0/0"
|
authorize-security-group-ingress "${NODE_SG_ID}" "--protocol tcp --port 22 --cidr ${SSH_CIDR}"
|
||||||
|
|
||||||
# HTTPS to the master is allowed (for API access)
|
# HTTPS to the master is allowed (for API access)
|
||||||
authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 443 --cidr 0.0.0.0/0"
|
authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 443 --cidr ${HTTP_API_CIDR}"
|
||||||
|
|
||||||
# KUBE_USE_EXISTING_MASTER is used to add minions to an existing master
|
# KUBE_USE_EXISTING_MASTER is used to add minions to an existing master
|
||||||
if [[ "${KUBE_USE_EXISTING_MASTER:-}" == "true" ]]; then
|
if [[ "${KUBE_USE_EXISTING_MASTER:-}" == "true" ]]; then
|
||||||
|
|||||||
Reference in New Issue
Block a user