Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI changes for dynamic whitelist of IPs for non-public kubernetes API #39

Open
scottyhq opened this issue Jan 7, 2020 · 2 comments
Open

CI changes for dynamic whitelist of IPs for non-public kubernetes API #39

scottyhq opened this issue Jan 7, 2020 · 2 comments

Comments

@scottyhq
Copy link
Contributor

scottyhq commented Jan 7, 2020
edited
Loading

Until recently the Kubernetes API was either fully public or fully private on AWS EKS. It's now possible to restrict access to specific IPs:
https://aws.amazon.com/about-aws/whats-new/2019/12/amazon-eks-enables-network-access-restrictions-to-kubernetes-cluster-public-endpoints/

I can follow this up with a PR, but the basic idea is to dynamically add the IP of the CI machine to the Kubernetes public endpoint whitelist. This would be helpful for more secure hubs.

Presumably a similar approach can be taken for Azure (@tjcrone). And Google (@jhamman).

For examples, see https://discuss.circleci.com/t/circleci-source-ip/1202/10

or relevant GitHub Actions code:

      - name: Add Runner IP to Kubernetes API Whitelist
        run: |
          RUNNERIP=`curl --silent https://checkip.amazonaws.com`
          aws --version
          aws eks update-cluster-config --name pangeo --resources-vpc-config publicAccessCidrs=$RUNNERIP/32 &> output.json
          # better to poll for readiness https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
          sleep 60
      - name: Get Pods
        run: |
          aws eks update-kubeconfig --name pangeo &> output.json
          kubectl get pods --all-namespaces
      - name: Revert to Original Kubernetes API Whitelist
        if: always()
        run: |
          # need to keep at least 1 IP in list
          # !!CAREFUL!! aws cli commands can output secrets in plain text to stdout, so redirect to output.json
          aws eks update-cluster-config --name pangeo --resources-vpc-config publicAccessCidrs="${{ secrets.IP_WHITELIST }}" &> output.json
@salvis2
Copy link
Collaborator

salvis2 commented Feb 5, 2020

So after doing some work with context managers for aws credential file locations, it seems like the hubploy code for this issue should also use context managers. Add the IP of the current machine to the publicAccessCidrs when you start working, then restore the old list of allowed IPs when you are done. My question right now is what should that list be?

@scottyhq scottyhq mentioned this issue Feb 14, 2020
Merged
@salvis2
Copy link
Collaborator

salvis2 commented Feb 20, 2020

So after doing some work with context managers for aws credential file locations, it seems like the hubploy code for this issue should also use context managers. Add the IP of the current machine to the publicAccessCidrs when you start working, then restore the old list of allowed IPs when you are done. My question right now is what should that list be?

@scottyhq do you have an idea for this? I think we are in a good spot to maybe hammer this out if we get together and hash out some of the details.

@scottyhq scottyhq mentioned this issue Feb 24, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scottyhq @salvis2