Skip to content
This repository has been archived by the owner on Oct 22, 2021. It is now read-only.

Remove security group that allows apps to communicate with internal network #304

Closed
f0rmiga opened this issue Jan 10, 2020 · 0 comments · Fixed by #434
Closed

Remove security group that allows apps to communicate with internal network #304

f0rmiga opened this issue Jan 10, 2020 · 0 comments · Fixed by #434
Labels
Priority: High SUSE SUSE is pursuing a solution Type: Bug Something isn't working
Milestone
1.0.0

Comments

@f0rmiga
Copy link
Member

f0rmiga commented Jan 10, 2020

Describe the bug

Replaces #297.

The pod and service CIDRs are currently required to created an app security group that allows connections to the internal k8s network. It allows connection to service brokers like credhub.

To Reproduce

Always.

Expected behavior

This approach is erroneous and we should allow only the credhub IP.
An auto-errand can take care of it by resolving credhub.service.cf.internal and creating a security group allowing apps to communicate with this IP. We also should add features.credhub.enabled=true as default, but remove credhub and the auto-errand when this setting is false, allowing the usage of an external credhub instance.

Environment

Kubecf 0.1, all platforms.
@f0rmiga f0rmiga added Type: Bug Something isn't working Priority: High labels Jan 10, 2020
@f0rmiga f0rmiga added this to the 0.2.0 milestone Jan 10, 2020
@f0rmiga f0rmiga mentioned this issue Jan 10, 2020
Closed
@mook-as mook-as self-assigned this Jan 10, 2020
mook-as added a commit to mook-as/kubecf that referenced this issue Jan 14, 2020
@mook-as
feat: Add image that can be loaded into minikube
de7d338 
This adds a //dev/minikube:load bazel rule that, when run, will build a
golang-based program (which does nothing useful as of now) and loads it
into the minikube VM.

This is in preparation for adding a job to set up application security
groups in the cloud controller to allow applications to access credhub
(but only credhub) in support of cloudfoundry-incubator#304.
mook-as added a commit that referenced this issue Jan 23, 2020
@mook-as
feat: Add image that can be loaded into minikube
f710862 
This adds a //dev/minikube:load bazel rule that, when run, will build a
golang-based program (which does nothing useful as of now) and loads it
into the minikube VM.

This is in preparation for adding a job to set up application security
groups in the cloud controller to allow applications to access credhub
(but only credhub) in support of #304.
mook-as added a commit to mook-as/kubecf that referenced this issue Jan 29, 2020
@mook-as
feat: Add image that can be loaded into minikube
e951251 
This adds a //dev/minikube:load bazel rule that, when run, will build a
golang-based program (which does nothing useful as of now) and loads it
into the minikube VM.

This is in preparation for adding a job to set up application security
groups in the cloud controller to allow applications to access credhub
(but only credhub) in support of cloudfoundry-incubator#304.
@mook-as mook-as mentioned this issue Jan 29, 2020
Closed
7 tasks
@fargozhu fargozhu added the Status: Blocked Dependencies on other issues and/or pull requests label Jan 31, 2020
@fargozhu fargozhu removed the Status: Blocked Dependencies on other issues and/or pull requests label Feb 3, 2020
@fargozhu fargozhu modified the milestones: 0.2.0, 1.0.0 Feb 3, 2020
@fargozhu fargozhu added SUSE SUSE is pursuing a solution Status: Accepted This issue will be implemented in a near future labels Feb 4, 2020
@fargozhu fargozhu added Status: WIP and removed Status: Accepted This issue will be implemented in a near future labels Feb 4, 2020
@fargozhu fargozhu added the Status: Verification Needed Issue must be verified before closed label Mar 2, 2020
@f0rmiga f0rmiga mentioned this issue Mar 3, 2020
Merged
7 tasks
@fargozhu fargozhu removed Status: Verification Needed Issue must be verified before closed Status: WIP labels Mar 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Priority: High SUSE SUSE is pursuing a solution Type: Bug Something isn't working
Projects
None yet
Milestone
1.0.0
3 participants
@fargozhu @f0rmiga @mook-as