[Platformone] [EXT] Re: Riddle me this, Batman (odd things in up-prod)

Miller, Timothy J. tmiller at mitre.org
Wed Dec 4 13:53:48 UTC 2019 

Is that one up-prod-bastion?

I'm putting an issue against platform-infrastructure.  The bastion is broken in a couple ways:

- inbound SG rule defaults to `{{ cidr }}` address space, which resolves out to the VPC addresses
- it's in the private subnet (probably doesn't matter, but helps humans keep things straight)
- no public IP.

-- T

On 12/3/19, 16:34, "Dean Lystra" <dlystra at redhat.com> wrote:

    One bastion host was created for the sole purpose of allowing access to the IdM CLI. This was done as a quick fix to get the users created and for administrative purposes. Access to IdM via web console or CLI is not available from the internet.
     onetime is a mystery to me.
    
    On Tue, Dec 3, 2019, 2:15 PM Kevin O'Donnell <kodonnel at redhat.com> wrote:
    
    
    Bastion creation is iac, and the other ec2 that’s running in prod is for acas and was created to scan and will be shutdown after the scans are done
    
    
    
    
    
    
    On Tue, Dec 3, 2019 at 3:34 PM Miller, Timothy J. <tmiller at mitre.org> wrote:
    
    
    - There are three bastion hosts (up-prod-bastion, up-prod-ocp-bastion, and "onetime").  Of these, I can find only up-prod-ocp-bastion in the IaC definition.  Both up-prod-bastion and "onetime" look like they were built separately ("onetime" is baselined on
     CentOS--which is a giveaway--and up-prod-bastion is attached to the `bastion-ssh` security group--which AFAICT is also not part of the IaC).
    
    I recall someone (Dean?) telling me that there's no BH in the IaC, but that's not true (see consumers/up-node-infrastructure/environments/production/group_vars/all/ec2-instances.yml).
    
    - up-prod-openscap and up-prod-sso-server have a public IP but its inbound rules permit only traffic from the VPC subnets (10.40.0.0/16 <http://10.40.0.0/16>) and the up-ss-vpc gitlab-ci-runner instance.
    
    - up-prod-openscap is attached to the up-prod-ocp-nodes SG, which is doesn't seem right.  That opens a bunch of ports that probably don't matter to a scan host.
    
    - up-prod-sso-server has a public IP it doesn't need since traffic is handled by up-prod-sso-elb.
    
    FWIW, public IPs are assigned to up-prod-bastion, up-prod-openscap, up-prod-satellite, up-prod-sso-server, and "onetime".  The bastion host and openscap kinda make sense, though you can jump to openscap from the BH.
    
    Damnfino what "onetime" is supposed to be.
    
    I'm not sure which of these or all of 'em should be turned into issues.  Comments?
    
    -- T 
    
    
    _______________________________________________
    platformONE mailing list
    platformONE at redhat.com
    https://www.redhat.com/mailman/listinfo/platformone
    
    
    
    
    
    -- 
    KEVIN O'DONNELL 
    ARCHITECT MANAGER
    Red Hat Red Hat NA Public Sector Consulting <https://www.redhat.com/>
    
    kodonnell at redhat.com <mailto:kodonnell at redhat.com%20M:240-605-4654> M: 240-605-4654
     <https://red.ht/sig>
    
    
    
    
    
    
    
    
    
    
    _______________________________________________
    platformONE mailing list
    platformONE at redhat.com
    https://www.redhat.com/mailman/listinfo/platformone

More information about the platformONE mailing list