-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Google Cloud provider behavior with firewall rules #26
Comments
Hi @boredabdel, thanks a lot for opening the issue. If I understood correctly this is a matter of changing the defaults we currently have in the gcloud provider when creating new instances. |
Yes but not enough. Setting the PUBLIC_IP_ENABLED will only disable the Public IP. For IAP you still need to add a firewall rule https://cloud.google.com/iap/docs/using-tcp-forwarding#preparing_your_project_for_tcp_forwarding |
Fair enough. So far we've shied away from altering your whole project when creating a workspace to avoid unintended side effects.
|
I completely understand that you want to keep the client as a agnostic as possible. 1 - That would be great |
I was trying out devpod today with Google Cloud as a Backend provider. And I noticed a default potentially unsecure behavior
The provider assumes a firewall rule that allows incoming ssh connections. This is a valid assumption because for new projects an allow-all SSH ingress rule is present [1]
Now this is the default behavior but not the recommended one. Typically for safety reasons we recommand users to remove these default firewall rules. The reason is simply because any VM that has a Public IP will be by default open to the Internet on SSH (authentication via password is disabled, only ssh authn is enabled on the VM images provided by Google cloud)
The recommended way is to use Identity Aware Proxy (IAP) Port Forwarding (aka Tunneling) [2]. With IAP Tunneling users have to configure a single Firewall rule for the entire project (they can use network tags to restrict it to specific vm's) and use IAM to grant Access to users. This method has two advantages:
The catch is that to connect to a VM using IAP you need to pass a flag to gcloud --tunnel-through-iap. I tried to remove the default firewall rules. Configure IAP and try out devpod but it doesn't work. The client doesn't seem to have a way to pass extra flags!
[1] https://cloud.google.com/firewall/docs/firewalls#more_rules_default_vpc
[2] https://cloud.google.com/iap/docs/using-tcp-forwarding#preparing_your_project_for_tcp_forwarding
[3] https://cloud.google.com/vpc/pricing
The text was updated successfully, but these errors were encountered: