Skip to content
This repository has been archived by the owner on Jul 25, 2022. It is now read-only.

enhance SSH feature avoid oidc disturb msg #354

Closed
3 tasks done
tedteng opened this issue Sep 28, 2020 · 5 comments · Fixed by #368
Closed
3 tasks done

enhance SSH feature avoid oidc disturb msg #354

tedteng opened this issue Sep 28, 2020 · 5 comments · Fixed by #368
Assignees

Comments

@tedteng
Copy link
Contributor

tedteng commented Sep 28, 2020

Describe the bug

The implement PR #221 block SSH feature since start from gardenctl v19,v21. v22(master)

So far the impcat we can aware of is SSH feature, not sure others. if the user use SSH feature with ODIC, it will break SSH feature which not able to access host.
image

This ticket will tracking AWS, GCP, Azure

  • AWS

  • GCP

  • Azure

To Reproduce
Steps to reproduce the behavior:

  1. Which target was set 'gardenctl get target'
  2. Which command was entered [e.g. 'gardenctl show vpn-seed']
  3. What was the output of the command

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Gardenctl Version (please complete the following information):

  • v19
  • v21
  • v22 / Github master

Additional context
Add any other context about the problem here.

@tedteng
Copy link
Contributor Author

tedteng commented Sep 28, 2020

I am working on AWS currently

@tedteng
Copy link
Contributor Author

tedteng commented Sep 29, 2020

During the refactoring operate method also lead to ExecCmd. which we have another issue #352.
I will not use ExecCmd in operate.go , refactoring case aws

case "aws":
		accessKeyID := []byte(secret.Data["accessKeyID"])
		secretAccessKey := []byte(secret.Data["secretAccessKey"])
		parts := strings.Fields(arguments)
		cmd := exec.Command("aws", parts...)
		newEnv := append(os.Environ(), "AWS_ACCESS_KEY_ID="+string(accessKeyID[:]), "AWS_SECRET_ACCESS_KEY="+string(secretAccessKey[:]), "AWS_DEFAULT_REGION="+region, "AWS_DEFAULT_OUTPUT=text")
		cmd.Env = newEnv
		out, err := cmd.CombinedOutput()
		if err != nil {
			log.Fatalf("cmd.Run() failed with %s\n", err)
		}
		return (strings.TrimSpace(string(out[:])))

in draft PR. continue refactoring ssh_aws.go

@tedteng
Copy link
Contributor Author

tedteng commented Oct 7, 2020

I am planning work on GCP

@tedteng
Copy link
Contributor Author

tedteng commented Oct 8, 2020

AWS, GCP, Azure all done and pass. will verify aliyun and openstack whether had impacted due to operte.go refactoring.

GCP:
gg ssh shoot--i333878--gcp-gcp-001-worker-k41j4-z1-5584688648-l4dvd                                       Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

Warning:
Be aware that you are entering an untrusted environment!
Do not enter credentials or sensitive data within the ssh session that cluster owners should not have access to.

Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Downloaded id_rsa key
Check Public IP

(1/4) Fetching data from target shoot cluster
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Data fetched from target shoot cluster.

(2/4) Setting up bastion host firewall rule
Add ssh rule
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Creating firewall...
....Created [https://www.googleapis.com/compute/v1/projects/sap-se-gcp-scp-k8s-dev/global/firewalls/shoot--i333878--gcp-gcp-001-allow-ssh-access].
done.
NAME                                          NETWORK                      DIRECTION  PRIORITY  ALLOW   DENY  DISABLED
shoot--i333878--gcp-gcp-001-allow-ssh-access  shoot--i333878--gcp-gcp-001  INGRESS    1000      tcp:22        False
(3/4) Creating bastion host
Create bastion host
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Created [https://www.googleapis.com/compute/v1/projects/sap-se-gcp-scp-k8s-dev/zones/europe-west1-b/instances/shoot--i333878--gcp-gcp-001-bastions].
NAME                                  ZONE            MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
shoot--i333878--gcp-gcp-001-bastions  europe-west1-b  n1-standard-1               10.250.0.3   35.233.21.174  RUNNING
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Instance State: RUNNING
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Waiting 45 seconds until ports are open.
ssh -i/Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/key -oProxyCommand=ssh -W%h:%p -i/Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/key -oIdentitiesOnly=yes -oStrictHostKeyChecking=no gardener@35.233.21.174 gardener@shoot--i333878--gcp-gcp-001-worker-k41j4-z1-5584688648-l4dvd -oIdentitiesOnly=yes -oStrictHostKeyChecking=no
Warning: Permanently added '35.233.21.174' (ECDSA) to the list of known hosts.
Warning: Permanently added 'shoot--i333878--gcp-gcp-001-worker-k41j4-z1-5584688648-l4dvd' (ED25519) to the list of known hosts.
  ____               _              _     _                  
 / ___| __ _ _ __ __| | ___ _ __   | |    _ _ __  _   ___  __
| |  _ / _` | '__/ _` |/ _ \ '_ \  | |   | | '_ \| | | \ \/ /
| |_| | (_| | | | (_| |  __/ | | | | |___| | | | | |_| |>  < 
 \____|\__,_|_|  \__,_|\___|_| |_| |_____|_|_| |_|\__,_/_/\_\
Garden Linux 11 (based on Debian GNU/Linux 11)               

Welcome to shoot--i333878--gcp-gcp-001-worker-k41j4-z1-5584688648-l4dvd.c.sap-se-gcp-scp-k8s-dev.internal  Thu Oct  8 06:27:16 UTC 2020
Linux #1 SMP Debian 5.4.19-1 (2020-02-13) x86_64 up 52 minutes
Load:  0.15, 0.20, 0.25 of 2CPUs  no iowait  no steal time
Free:  RAM 58.14%  Disk / 92.16% /usr 28.15% /boot/efi 100.00% 

ens4        10.250.0.2/32  fe80::4001:aff:fefa:2/64  
tunl0       100.96.0.1/32                            


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ exit
Connection to shoot--i333878--gcp-gcp-001-worker-k41j4-z1-5584688648-l4dvd closed.
(4/4) Cleanup
Cleaning up bastion host configurations...

Starting cleanup

  (1/2) Cleaning up bastion host instance
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Deleted [https://www.googleapis.com/compute/v1/projects/sap-se-gcp-scp-k8s-dev/zones/europe-west1-b/instances/shoot--i333878--gcp-gcp-001-bastions].
  (2/2) Close SSH Port on Node.
Close SSH Port on Node.
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Deleted [https://www.googleapis.com/compute/v1/projects/sap-se-gcp-scp-k8s-dev/global/firewalls/shoot--i333878--gcp-gcp-001-allow-ssh-access].
Bastion host configurations successfully cleaned up.



Azure
gg ssh shoot--i333878--az-az-001-worker-bt6i6-z3-598c94d869-l68d2
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

Warning:
Be aware that you are entering an untrusted environment!
Do not enter credentials or sensitive data within the ssh session that cluster owners should not have access to.

Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Downloaded id_rsa key
Check Public IP

(1/4) Fetching data from target shoot cluster
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Standard
Data fetched from target shoot cluster.

(2/4) Configuring Azure
Opened SSH Port.
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

Create public ip
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
20.54.46.21
Waiting 5 s until public ip is available.

Add public ip to nic

Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Waiting 30 seconds until ports are open.
(3/4) Establishing SSH connection

Warning: Permanently added '20.54.46.21' (ED25519) to the list of known hosts.
  ____               _              _     _                  
 / ___| __ _ _ __ __| | ___ _ __   | |    _ _ __  _   ___  __
| |  _ / _` | '__/ _` |/ _ \ '_ \  | |   | | '_ \| | | \ \/ /
| |_| | (_| | | | (_| |  __/ | | | | |___| | | | | |_| |>  < 
 \____|\__,_|_|  \__,_|\___|_| |_| |_____|_|_| |_|\__,_/_/\_\
Garden Linux 11 (based on Debian GNU/Linux 11)               

Welcome to shoot--i333878--az-az-001-worker-bt6i6-z3-598c94d869-l68d2.ku0di1l4wfdutovlmztclf00lc.fx.internal.cloudapp.net  Thu Oct  8 07:48:24 UTC 2020
Linux #1 SMP Debian 5.4.19-1 (2020-02-13) x86_64 up 1 hour, 10 minutes
Load:  0.72, 1.62, 2.09 of 1CPUs  2.25% iowait  no steal time
Free:  RAM 6.14%  Disk / 92.54% /usr 28.08% /boot/efi 100.00% /mnt/resource 94.37% 

eth0       10.250.0.4/16  fe80::20d:3aff:fedc:d470/64  


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Oct  8 07:38:57 2020 from 180.166.22.232
$ exit
Connection to 20.54.46.21 closed.

(4/4) Cleanup

  (1/3) Remove SSH rule
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

  (2/3) Remove public ip from nic
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

  (3/3) Delete public ip
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

Configuration successfully cleaned up.

@tedteng tedteng self-assigned this Oct 9, 2020
@tedteng
Copy link
Contributor Author

tedteng commented Oct 9, 2020

I think the ticker ready review as #373 openstack not able to ssh and alicloud failure ssh either. #372.
So far AWS, GCP, Azure all good ssh after refactor

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant