Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement bastion host #175

Closed
wants to merge 3 commits into from
Closed

Implement bastion host #175

wants to merge 3 commits into from

Conversation

tahsinrahman
Copy link
Contributor

@tahsinrahman tahsinrahman commented Apr 7, 2019
edited
Loading

Which issue(s) this PR fixes
Fixes #165

Implement Bastion Host

This change is Reviewable

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/provider/azure Issues or PRs related to azure provider labels Apr 7, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @tahsinrahman. Thanks for your PR.

I'm waiting for a kubernetes-sigs or kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 7, 2019
@tahsinrahman
Copy link
Contributor Author

@justaugustus

@justaugustus
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 7, 2019
@tahsinrahman tahsinrahman mentioned this pull request Apr 8, 2019
Closed
6 tasks
@k8s-ci-robot k8s-ci-robot added sig/apps Categorizes an issue or PR as relevant to SIG Apps. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 8, 2019
awesomenix
awesomenix suggested changes Apr 10, 2019
View reviewed changes
pkg/cloud/azure/actuators/cluster/reconciler.go
return errors.Wrapf(err, "failed to createorupdate bastion public ip for cluster %s", s.scope.Cluster.Name)
}

bastionNicSpec := &networkinterfaces.Spec{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can this be part of machine actuator itself, so we can define 3 different roles, node, controlplane and bastion. so we can specify this as part of cluster spec itself instead of hard coding values here

pkg/cloud/azure/services/networkinterfaces/networkinterfaces.go
@@ -37,7 +39,7 @@ type Spec struct {
StaticIPAddress string
PublicLoadBalancerName string
InternalLoadBalancerName string
NatRule int
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So bastion VM is just a flavour of created cluster, some users may not want additional vm. So please add support for both scenarios

pkg/cloud/azure/services/networkinterfaces/networkinterfaces.go Outdated
@@ -120,6 +117,20 @@ func (s *Service) CreateOrUpdate(ctx context.Context, spec azure.Spec) error {
}
nicConfig.LoadBalancerBackendAddressPools = &backendAddressPools

if nicSpec.PublicIPName != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please reuse the current public load balancer and reuse the nat rule for bastion vm instead of control plane vm

@tahsinrahman
Copy link
Contributor Author

@awesomenix so, clusterSpec will have a field named bastionSpec, and if this field is nil, it won't affect current system, but if not nil, we will create bastion vm defined in bastionSpec?

@awesomenix
Copy link
Contributor

@awesomenix so, clusterSpec will have a field named bastionSpec, and if this field is nil, it won't affect current system, but if not nil, we will create bastion vm defined in bastionSpec?

Sorry i meant this should be part of machinelist example here https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/cmd/clusterctl/examples/azure/machines.yaml.template

You can see we define controlplane and node roles, there should be a bastion role as well which you have defined in few places in this PR.

  • Cluster spec defines that this is a locked down cluster, in azure we call it private cluster, but not sure the terminology in aws. But you can define a flag which mentions that this is IsPrivate
  • The idea is that let machine actuator machine the lifecycle of the bastion VM (self recovery/maintenance), rather than cluster actuator managing the lifecycle of bastion vm and hardcoding certain values (like image name etc).
  • This way you can reuse most of the components already existing in cluster (publicip publiclb etc).
  • You can use nat rule 0 which is ssh access for bastion rather than control plane vm, remove the health probes if IsPrivate is set to true
  • Also you might need to change the api server ip and also kubeconfig so that clusterctl succeeds provisioning and is able to access the kubernetes cluster. <- probably this might be done through bastion vm, but not sure.

Could you please do a quick write up on how this will look for end user?

  • Create workflow
  • Future runtime access (how this will be done)

@tahsinrahman
Copy link
Contributor Author

so, as far as i understand,

  • user can deploy a machine with role bastion
  • if user deploys bastion machine, reconcile the load balancer rule to redirect ssh traffics to bastion vm
  • if user deletes bastion machine, reconcile the load balancer rule to allow ssh traffic on controlplane vms

For private clusters,

  • the load balancer will only be used to ssh into the bastion host, as we're removing health probes?

@justaugustus
Copy link
Member

@tahsinrahman -- please hold off on changing anything until I have the opportunity to review this. I should be able to tonight or by tomorrow afternoon at the latest.

@alexeldeib alexeldeib mentioned this pull request Apr 11, 2019
Closed
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 13, 2019
@justaugustus
Copy link
Member

@tahsinrahman -- overall, this is a great start! I had some refactoring to do elsewhere in the repo, which has caused your branch to have some conflicts.

Can you please rebase this and then I can give a thorough review?

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Apr 18, 2019
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 24, 2019
@alexeldeib
Copy link
Contributor

@tahsinrahman @justaugustus what is the status of this PR? Is it moving ahead? HA is kind of depending on fixing the networking rules, which this PR touches.

@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 20, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tahsinrahman
To complete the pull request process, please assign justaugustus
You can assign the PR to them by writing /assign @justaugustus in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tahsinrahman
Copy link
Contributor Author

tahsinrahman commented Jun 20, 2019
edited
Loading

@alexeldeib @justaugustus i've updated the pr. it now uses load balancer inbound nat rules to connect to bastion host.

@awesomenix should bastion node be defined as machine? doesn't a machine represent a kubernetes node?

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 18, 2019
@justaugustus justaugustus added this to the next milestone Oct 3, 2019
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 15, 2019
@k8s-ci-robot
Copy link
Contributor

@tahsinrahman: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-cluster-api-provider-azure-build ba21188 link /test pull-cluster-api-provider-azure-build
pull-cluster-api-provider-azure-test ba21188 link /test pull-cluster-api-provider-azure-test
pull-cluster-api-provider-azure-verify ba21188 link /test pull-cluster-api-provider-azure-verify
pull-cluster-api-provider-azure-e2e ba21188 link /test pull-cluster-api-provider-azure-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@tahsinrahman: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 2, 2020
@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@devigned devigned mentioned this pull request Apr 1, 2021
Closed
@CecileRobertMichon CecileRobertMichon removed this from the next milestone May 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awesomenix awesomenix awesomenix requested changes

@juan-lee juan-lee Awaiting requested review from juan-lee

Assignees
No one assigned
Labels
area/provider/azure Issues or PRs related to azure provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/apps Categorizes an issue or PR as relevant to SIG Apps. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement Azure bastion host
7 participants
@tahsinrahman @k8s-ci-robot @justaugustus @awesomenix @alexeldeib @fejta-bot @CecileRobertMichon