[WIP] 🏃 control plane NSG does not open the SSH port by default.

[jadarsie]

Signed-off-by: Javier Darsie [email protected]

What this PR does / why we need it:
This PR takes care of item 1 from the list of requirements in #104

Change the default NSG rules so they are more restrictive, we don't want the NSG to ever be open to the whole internet

Please let me know if this is not what it was expected.

Which issue(s) this PR fixes:
Fixes part of #104

Release note:

Control plane NSG does not open the SSH port by default.

[k8s-ci-robot]

Hi @jadarsie. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jadarsie]

Found out that this is not quite working after I updated kind to v0.7.0

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jadarsie
To complete the pull request process, please assign justaugustus
You can assign the PR to them by writing /assign @justaugustus in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[CecileRobertMichon]

/assign @justaugustus

@justaugustus is this what you had in mind for #104?

[awesomenix]

I would opt for making this as an option using feature gates, so customers(E2E and dev) can opt in to enable. Since API Server is technically open to the internet, i dont see any benefit of disabling SSH, agreed that it does remove an attach vector

[CecileRobertMichon]

I think we should consider closing this until #165 is implemented

[CecileRobertMichon]

I'm going to close this for now until Bastion hosts are implemented.

/close

[k8s-ci-robot]

@CecileRobertMichon: Closed this PR.

In response to this:

I'm going to close this for now until Bastion hosts are implemented.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

@jadarsie: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.