[Platformone] [EXT] Re: Riddle me this, Batman (odd things in up-prod)

Wed Dec 4 16:43:23 UTC 2019

Tim,

The OCP_Bastion is necessary to deploy the OCP 3.11 cluster. It holds a
specific version of ansible and inventory file that Openshift deploys from.
The CI-Runner triggers the build but its fully automated and it should have
zero hands on keyboard access.

On Wed, Dec 4, 2019 at 11:29 AM Dean Lystra <dlystra at redhat.com> wrote:

> IMO a VPN solution would be the most preferred option. This would be up to
> the decision makers to go this route. We used to have OpenVPN in our VPCs,
> but I am unsure why we no longer use it.
>
> On Wed, Dec 4, 2019, 8:21 AM Miller, Timothy J. <tmiller at mitre.org> wrote:
>
>> I wouldn't expect a public IP into a private subnet, and I'm wouldn't be
>> comfy with port forwarding into it either.
>>
>> I sense a broken concept of operations here.  As currently defined in
>> IaC, ocp-bastion is useless or redundant:
>>
>> - It's in the private subnet and unreachable from any admin console by
>> the current SG anyway.  A VPN is required to reach it.
>>
>> - OTOH, if we have a VPN, we can whitelist admin consoles via the VPN in
>> the default SG.  This would save a little $.
>>
>> - In C1, ocp-bastion is duplicative with the C1 provided bastion.  We can
>> whitelist the C1 bastion in the default SG and again save some $.
>>
>> -- T
>>
>> On 12/4/19, 09:33, "Nunez, Carlos A [US] (MS) (Contr)" <
>> Carlos.Nunez2 at ngc.com> wrote:
>>
>>     AWS will not allow a public IP in a private subnet. No cloud provider
>> does.  The NAT is what translates Private Subnet resources to be connected
>> to Public Subnet resources.
>>
>>     V/R
>>     Adrian
>>
>>     -----Original Message-----
>>     From: Miller, Timothy J. <tmiller at mitre.org>
>>     Sent: Wednesday, December 4, 2019 10:29 AM
>>     To: Nunez, Carlos A [US] (MS) (Contr) <Carlos.Nunez2 at ngc.com>; Dean
>> Lystra <dlystra at redhat.com>; Kevin O'Donnell <kodonnel at redhat.com>
>>     Cc: platformONE at redhat.com; Feiglstok, Colleen M [US] (MS) <
>> Colleen.Feiglstok at ngc.com>; Mathew Huston <huston at diux.mil>
>>     Subject: EXT :Re: [EXT] Re: [Platformone] Riddle me this, Batman (odd
>> things in up-prod)
>>
>>     That's great, once a VPN into the VPC is active.
>>
>>     In the meantime...?
>>
>>     -- T
>>
>>     On 12/4/19, 09:07, "Nunez, Carlos A [US] (MS) (Contr)" <
>> Carlos.Nunez2 at ngc.com> wrote:
>>
>>         Bastion cannot be in a private subnet. That is the EC2 that
>> admins/devs will connect to at port 22.  If it is in a private subnet it
>> has no way to be public facing and cannot have a public IP assigned to it.
>>
>>         V/R
>>         Adrian Nuñez
>>         Senior Cloud Architect
>>         NG Email:  carlos.nunez2 at ngc.com
>>         Bylight email:  carlos.nunez at bylight.com
>>         Cell:  (571)230-5289
>>
>>
>>
>>         -----Original Message-----
>>         From: Miller, Timothy J. <tmiller at mitre.org>
>>         Sent: Wednesday, December 4, 2019 8:54 AM
>>         To: Dean Lystra <dlystra at redhat.com>; Kevin O'Donnell <
>> kodonnel at redhat.com>
>>         Cc: platformONE at redhat.com; Feiglstok, Colleen M [US] (MS) <
>> Colleen.Feiglstok at ngc.com>; Mathew Huston <huston at diux.mil>; Nunez,
>> Carlos A [US] (MS) (Contr) <Carlos.Nunez2 at ngc.com>
>>         Subject: EXT :Re: [EXT] Re: [Platformone] Riddle me this, Batman
>> (odd things in up-prod)
>>
>>         Is that one up-prod-bastion?
>>
>>         I'm putting an issue against platform-infrastructure.  The
>> bastion is broken in a couple ways:
>>
>>         - inbound SG rule defaults to `{{ cidr }}` address space, which
>> resolves out to the VPC addresses
>>         - it's in the private subnet (probably doesn't matter, but helps
>> humans keep things straight)
>>         - no public IP.
>>
>>         -- T
>>
>>         On 12/3/19, 16:34, "Dean Lystra" <dlystra at redhat.com> wrote:
>>
>>             One bastion host was created for the sole purpose of allowing
>> access to the IdM CLI. This was done as a quick fix to get the users
>> created and for administrative purposes. Access to IdM via web console or
>> CLI is not available from the internet.
>>              onetime is a mystery to me.
>>
>>             On Tue, Dec 3, 2019, 2:15 PM Kevin O'Donnell <
>> kodonnel at redhat.com> wrote:
>>
>>
>>             Bastion creation is iac, and the other ec2 that’s running in
>> prod is for acas and was created to scan and will be shutdown after the
>> scans are done
>>
>>
>>
>>
>>
>>
>>             On Tue, Dec 3, 2019 at 3:34 PM Miller, Timothy J. <
>> tmiller at mitre.org> wrote:
>>
>>
>>             - There are three bastion hosts (up-prod-bastion,
>> up-prod-ocp-bastion, and "onetime").  Of these, I can find only
>> up-prod-ocp-bastion in the IaC definition.  Both up-prod-bastion and
>> "onetime" look like they were built separately ("onetime" is baselined on
>>              CentOS--which is a giveaway--and up-prod-bastion is attached
>> to the `bastion-ssh` security group--which AFAICT is also not part of the
>> IaC).
>>
>>             I recall someone (Dean?) telling me that there's no BH in the
>> IaC, but that's not true (see
>> consumers/up-node-infrastructure/environments/production/group_vars/all/ec2-instances.yml).
>>
>>             - up-prod-openscap and up-prod-sso-server have a public IP
>> but its inbound rules permit only traffic from the VPC subnets (
>> 10.40.0.0/16 <http://10.40.0.0/16>) and the up-ss-vpc gitlab-ci-runner
>> instance.
>>
>>             - up-prod-openscap is attached to the up-prod-ocp-nodes SG,
>> which is doesn't seem right.  That opens a bunch of ports that probably
>> don't matter to a scan host.
>>
>>             - up-prod-sso-server has a public IP it doesn't need since
>> traffic is handled by up-prod-sso-elb.
>>
>>             FWIW, public IPs are assigned to up-prod-bastion,
>> up-prod-openscap, up-prod-satellite, up-prod-sso-server, and "onetime".
>> The bastion host and openscap kinda make sense, though you can jump to
>> openscap from the BH.
>>
>>             Damnfino what "onetime" is supposed to be.
>>
>>             I'm not sure which of these or all of 'em should be turned
>> into issues.  Comments?
>>
>>             -- T
>>
>>
>>             _______________________________________________
>>             platformONE mailing list
>>             platformONE at redhat.com
>>             https://www.redhat.com/mailman/listinfo/platformone
>>
>>
>>
>>
>>
>>             --
>>             KEVIN O'DONNELL
>>             ARCHITECT MANAGER
>>             Red Hat Red Hat NA Public Sector Consulting <
>> https://www.redhat.com/>
>>
>>             kodonnell at redhat.com <mailto:kodonnell at redhat.com%20M:240-605-4654>
>> M: 240-605-4654
>>              <https://red.ht/sig>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>             _______________________________________________
>>             platformONE mailing list
>>             platformONE at redhat.com
>>             https://www.redhat.com/mailman/listinfo/platformone
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
> platformONE mailing list
> platformONE at redhat.com
> https://www.redhat.com/mailman/listinfo/platformone
>

-- 

JONATHAN HULTZ, RHCSA

SENIOR CONSULTANT

Red Hat Remote US CA <https://www.redhat.com/>

jhultz at redhat.com    M: 609-713-9778
<https://red.ht/sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/platformone/attachments/20191204/70a2a9c7/attachment.htm>