[Platformone] [EXT] Re: Riddle me this, Batman (odd things in up-prod)

Dean Lystra dlystra at redhat.com
Wed Dec 4 16:09:15 UTC 2019 

The OCP bastion instance is used as part of the OCP installation process.
This is where the openshift installation playbooks are run. It is not meant
to be a jump box. The prod bastion instance was configured with an EIP in
the public subnet for external access to the IdM CLI, but was manually
deployed.

On Wed, Dec 4, 2019, 7:37 AM Blade, Eric D [US] (MS) <Eric.Blade at ngc.com>
wrote:

> The Onetime can be destroyed if Colleen is done testing with it.
>
> Eric
>
> -----Original Message-----
> From: Feiglstok, Colleen M [US] (MS) <Colleen.Feiglstok at ngc.com>
> Sent: Wednesday, December 04, 2019 10:05 AM
> To: Miller, Timothy J. <tmiller at mitre.org>; Dean Lystra <
> dlystra at redhat.com>; Kevin O'Donnell <kodonnel at redhat.com>
> Cc: platformONE at redhat.com; Mathew Huston <huston at diux.mil>; Nunez,
> Carlos A [US] (MS) (Contr) <Carlos.Nunez2 at ngc.com>; Blade, Eric D [US]
> (MS) <Eric.Blade at ngc.com>
> Subject: RE: [EXT] Re: [Platformone] Riddle me this, Batman (odd things in
> up-prod)
>
> The onetime was stood up for security testing. Eric Blade is in the
> process of creating an AMI that we will use in the future that will have
> all security tools in one place. It is not part of the IAC.
>
> -----Original Message-----
> From: Miller, Timothy J. <tmiller at mitre.org>
> Sent: Wednesday, December 4, 2019 8:54 AM
> To: Dean Lystra <dlystra at redhat.com>; Kevin O'Donnell <kodonnel at redhat.com
> >
> Cc: platformONE at redhat.com; Feiglstok, Colleen M [US] (MS) <
> Colleen.Feiglstok at ngc.com>; Mathew Huston <huston at diux.mil>; Nunez,
> Carlos A [US] (MS) (Contr) <Carlos.Nunez2 at ngc.com>
> Subject: EXT :Re: [EXT] Re: [Platformone] Riddle me this, Batman (odd
> things in up-prod)
>
> Is that one up-prod-bastion?
>
> I'm putting an issue against platform-infrastructure.  The bastion is
> broken in a couple ways:
>
> - inbound SG rule defaults to `{{ cidr }}` address space, which resolves
> out to the VPC addresses
> - it's in the private subnet (probably doesn't matter, but helps humans
> keep things straight)
> - no public IP.
>
> -- T
>
> On 12/3/19, 16:34, "Dean Lystra" <dlystra at redhat.com> wrote:
>
>     One bastion host was created for the sole purpose of allowing access
> to the IdM CLI. This was done as a quick fix to get the users created and
> for administrative purposes. Access to IdM via web console or CLI is not
> available from the internet.
>      onetime is a mystery to me.
>
>     On Tue, Dec 3, 2019, 2:15 PM Kevin O'Donnell <kodonnel at redhat.com>
> wrote:
>
>
>     Bastion creation is iac, and the other ec2 that’s running in prod is
> for acas and was created to scan and will be shutdown after the scans are
> done
>
>
>
>
>
>
>     On Tue, Dec 3, 2019 at 3:34 PM Miller, Timothy J. <tmiller at mitre.org>
> wrote:
>
>
>     - There are three bastion hosts (up-prod-bastion, up-prod-ocp-bastion,
> and "onetime").  Of these, I can find only up-prod-ocp-bastion in the IaC
> definition.  Both up-prod-bastion and "onetime" look like they were built
> separately ("onetime" is baselined on
>      CentOS--which is a giveaway--and up-prod-bastion is attached to the
> `bastion-ssh` security group--which AFAICT is also not part of the IaC).
>
>     I recall someone (Dean?) telling me that there's no BH in the IaC, but
> that's not true (see
> consumers/up-node-infrastructure/environments/production/group_vars/all/ec2-instances.yml).
>
>     - up-prod-openscap and up-prod-sso-server have a public IP but its
> inbound rules permit only traffic from the VPC subnets (10.40.0.0/16 <
> http://10.40.0.0/16>) and the up-ss-vpc gitlab-ci-runner instance.
>
>     - up-prod-openscap is attached to the up-prod-ocp-nodes SG, which is
> doesn't seem right.  That opens a bunch of ports that probably don't matter
> to a scan host.
>
>     - up-prod-sso-server has a public IP it doesn't need since traffic is
> handled by up-prod-sso-elb.
>
>     FWIW, public IPs are assigned to up-prod-bastion, up-prod-openscap,
> up-prod-satellite, up-prod-sso-server, and "onetime".  The bastion host and
> openscap kinda make sense, though you can jump to openscap from the BH.
>
>     Damnfino what "onetime" is supposed to be.
>
>     I'm not sure which of these or all of 'em should be turned into
> issues.  Comments?
>
>     -- T
>
>
>     _______________________________________________
>     platformONE mailing list
>     platformONE at redhat.com
>     https://www.redhat.com/mailman/listinfo/platformone
>
>
>
>
>
>     --
>     KEVIN O'DONNELL
>     ARCHITECT MANAGER
>     Red Hat Red Hat NA Public Sector Consulting <https://www.redhat.com/>
>
>     kodonnell at redhat.com <mailto:kodonnell at redhat.com%20M:240-605-4654>
> M: 240-605-4654
>      <https://red.ht/sig>
>
>
>
>
>
>
>
>
>
>
>     _______________________________________________
>     platformONE mailing list
>     platformONE at redhat.com
>     https://www.redhat.com/mailman/listinfo/platformone
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/platformone/attachments/20191204/711a465c/attachment.htm>

More information about the platformONE mailing list