Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[contrib/terraform/openstack] No security group rules allowing ssh unless deployed with bastion host #4487

Closed
holmsten opened this issue Apr 10, 2019 · 2 comments · Fixed by #4506
Closed

[contrib/terraform/openstack] No security group rules allowing ssh unless deployed with bastion host #4487

holmsten opened this issue Apr 10, 2019 · 2 comments · Fixed by #4506
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@holmsten
Copy link
Contributor

/kind bug

Environment:

  • Cloud provider or hardware configuration:
openstack
  • OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"):
Ubuntu 18.04
  • Version of Ansible (ansible --version):
ansible 2.7.10

Kubespray version (commit) (git rev-parse --short HEAD):
e865c50

Output of ansible run:

fatal: [cluster1-k8s-node-3]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
fatal: [cluster1-k8s-node-1]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
fatal: [cluster1-k8s-master-3]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
fatal: [cluster1-k8s-master-1]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
fatal: [cluster1-k8s-node-2]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
fatal: [cluster1-k8s-master-2]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}

Anything else do we need to know:
This bug is introduced from changes made in #4291.

If you don't deploy with a bastion (number_of_bastions = 0 in your terraform variables file) the security group is never created and no other rules exist for allowing SSH from outside your cluster.
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Apr 10, 2019
holmsten added a commit to holmsten/kubespray that referenced this issue Apr 10, 2019
@holmsten
Revert "Don't create security groups for a bastion host on openstack,…
799b076 
… if doesn't exist (kubernetes-sigs#4291)"

This reverts commit 20ebb49.

Fixes kubernetes-sigs#4487
@holmsten holmsten mentioned this issue Apr 10, 2019
Closed
@Miouge1
Copy link
Contributor

Miouge1 commented Apr 10, 2019

I've reproduced this as well. Even is number_of_bastion = 0, the bastion security group is used for SSH access. Therefore there is no situation where the bastion security group is not needed.

@holmsten holmsten mentioned this issue Apr 11, 2019
Merged
@pfisterer
Copy link

pfisterer commented Jun 10, 2020
edited
Loading

@Miouge1 I just had a similar issue. I've set number_of_bastions = 0 and wanted to test connectivity using ansible -vvv -i inventory/$CLUSTER/hosts -m ping all. I'm unable to connect to the master using ssh.

My master node (spray1st-k8s-master-1) is NOT using the security group spray1st-bastion but only spray1st-k8s-master and spray1st-k8s. Once I add spray1st-bastion to the master manually, everything works.

  • Cloud provider or hardware configuration: OpenStack
  • Output of git rev-parse --short HEAD: a7b8708

In addition, I get

fatal: [spray1st-k8s-master-1]: FAILED! => {
    "changed": true,
    "cmd": [
        "ping",
        "-c1",
        "141.72.191.248"
    ],
    "delta": "0:00:10.021863",
    "end": "2020-06-11 10:55:24.535541",
    "rc": 1,
    "start": "2020-06-11 10:55:14.513678"
}

and had to explicitly enable ICMP.

Any ideas? Best regards,
Dennis

Security Groups as defined in OpenStack:

spray1st-bastion
        ALLOW IPv4 22/tcp from 0.0.0.0/0

spray1st-k8s-master
        ALLOW IPv4 6443/tcp from 0.0.0.0/0
        ALLOW IPv4 22/tcp from 0.0.0.0/0

spray1st-k8s
        ALLOW IPv4 to 0.0.0.0/0
        ALLOW IPv4 from spray1st-k8s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[contrib/terraform/openstack] Add k8s_allowed_remote_ips variable holmsten/kubespray
4 participants
@pfisterer @holmsten @Miouge1 @k8s-ci-robot