[Platformone] Riddle me this, Batman (odd things in up-prod)
Miller, Timothy J.
tmiller at mitre.org
Tue Dec 3 20:31:42 UTC 2019
- There are three bastion hosts (up-prod-bastion, up-prod-ocp-bastion, and "onetime"). Of these, I can find only up-prod-ocp-bastion in the IaC definition. Both up-prod-bastion and "onetime" look like they were built separately ("onetime" is baselined on CentOS--which is a giveaway--and up-prod-bastion is attached to the `bastion-ssh` security group--which AFAICT is also not part of the IaC).
I recall someone (Dean?) telling me that there's no BH in the IaC, but that's not true (see consumers/up-node-infrastructure/environments/production/group_vars/all/ec2-instances.yml).
- up-prod-openscap and up-prod-sso-server have a public IP but its inbound rules permit only traffic from the VPC subnets (10.40.0.0/16) and the up-ss-vpc gitlab-ci-runner instance.
- up-prod-openscap is attached to the up-prod-ocp-nodes SG, which is doesn't seem right. That opens a bunch of ports that probably don't matter to a scan host.
- up-prod-sso-server has a public IP it doesn't need since traffic is handled by up-prod-sso-elb.
FWIW, public IPs are assigned to up-prod-bastion, up-prod-openscap, up-prod-satellite, up-prod-sso-server, and "onetime". The bastion host and openscap kinda make sense, though you can jump to openscap from the BH.
Damnfino what "onetime" is supposed to be.
I'm not sure which of these or all of 'em should be turned into issues. Comments?
-- T
More information about the platformONE
mailing list