[Platformone] [EXT] Re: Riddle me this, Batman (odd things in up-prod)

Miller, Timothy J. tmiller at mitre.org
Wed Dec 4 13:44:16 UTC 2019 

up-prod-ocp-bastion is in the IaC but is only accessible from up-ss-vpc's gitlab-ci-runner and from up-prod's /16 address space.  So it's not much use as a bastion.

That leaves "onetime" and up-prod-bastion.  Neither is IaC.  Which is the ACAS host?

-- T

On 12/3/19, 16:15, "Kevin O'Donnell" <kodonnel at redhat.com> wrote:

    Bastion creation is iac, and the other ec2 that’s running in prod is for acas and was created to scan and will be shutdown after the scans are done
    
    
    
    
    
    
    On Tue, Dec 3, 2019 at 3:34 PM Miller, Timothy J. <tmiller at mitre.org> wrote:
    
    
    - There are three bastion hosts (up-prod-bastion, up-prod-ocp-bastion, and "onetime").  Of these, I can find only up-prod-ocp-bastion in the IaC definition.  Both up-prod-bastion and "onetime" look like they were built separately ("onetime" is baselined on
     CentOS--which is a giveaway--and up-prod-bastion is attached to the `bastion-ssh` security group--which AFAICT is also not part of the IaC).
    
    I recall someone (Dean?) telling me that there's no BH in the IaC, but that's not true (see consumers/up-node-infrastructure/environments/production/group_vars/all/ec2-instances.yml).
    
    - up-prod-openscap and up-prod-sso-server have a public IP but its inbound rules permit only traffic from the VPC subnets (10.40.0.0/16 <http://10.40.0.0/16>) and the up-ss-vpc gitlab-ci-runner instance.
    
    - up-prod-openscap is attached to the up-prod-ocp-nodes SG, which is doesn't seem right.  That opens a bunch of ports that probably don't matter to a scan host.
    
    - up-prod-sso-server has a public IP it doesn't need since traffic is handled by up-prod-sso-elb.
    
    FWIW, public IPs are assigned to up-prod-bastion, up-prod-openscap, up-prod-satellite, up-prod-sso-server, and "onetime".  The bastion host and openscap kinda make sense, though you can jump to openscap from the BH.
    
    Damnfino what "onetime" is supposed to be.
    
    I'm not sure which of these or all of 'em should be turned into issues.  Comments?
    
    -- T 
    
    
    _______________________________________________
    platformONE mailing list
    platformONE at redhat.com
    https://www.redhat.com/mailman/listinfo/platformone
    
    
    
    
    
    -- 
    KEVIN O'DONNELL 
    ARCHITECT MANAGER
    Red Hat Red Hat NA Public Sector Consulting <https://www.redhat.com/>
    
    kodonnell at redhat.com <mailto:kodonnell at redhat.com%20M:240-605-4654> M: 240-605-4654
     <https://red.ht/sig>

More information about the platformONE mailing list