From d9be75e9fe6d6e7b49b90a4dc0ccca9ae2f1e280 Mon Sep 17 00:00:00 2001 From: Richard Eames Date: Wed, 8 Jun 2016 12:33:15 -0600 Subject: [PATCH] Allow IP restrictions for SSH and HTTPS API access on AWS. Closes #26661 --- cluster/aws/config-default.sh | 2 ++ cluster/aws/util.sh | 8 +++----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh index 4b8f323a863..5e64eb01a21 100644 --- a/cluster/aws/config-default.sh +++ b/cluster/aws/config-default.sh @@ -88,6 +88,8 @@ NON_MASQUERADE_CIDR="${NON_MASQUERADE_CIDR:-10.0.0.0/8}" # Traffic to IPs outsid SERVICE_CLUSTER_IP_RANGE="${SERVICE_CLUSTER_IP_RANGE:-10.0.0.0/16}" # formerly PORTAL_NET CLUSTER_IP_RANGE="${CLUSTER_IP_RANGE:-10.244.0.0/16}" MASTER_IP_RANGE="${MASTER_IP_RANGE:-10.246.0.0/24}" +SSH_CIDR="${SSH_CIDR:-0.0.0.0/0}" # IP to restrict ssh access to nodes/master +HTTP_API_CIDR="${HTTP_API_CIDR:-0.0.0.0/0}" # IP to restrict HTTP API access # If set to an Elastic IP address, the master instance will be associated with this IP. # Otherwise a new Elastic IP will be acquired # (We used to accept 'auto' to mean 'allocate elastic ip', but that is now the default) diff --git a/cluster/aws/util.sh b/cluster/aws/util.sh index 80170c5f274..b09378f93d4 100755 --- a/cluster/aws/util.sh +++ b/cluster/aws/util.sh @@ -1006,14 +1006,12 @@ function kube-up { authorize-security-group-ingress "${MASTER_SG_ID}" "--source-group ${NODE_SG_ID} --protocol all" authorize-security-group-ingress "${NODE_SG_ID}" "--source-group ${MASTER_SG_ID} --protocol all" - # TODO(justinsb): Would be fairly easy to replace 0.0.0.0/0 in these rules - # SSH is open to the world - authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 22 --cidr 0.0.0.0/0" - authorize-security-group-ingress "${NODE_SG_ID}" "--protocol tcp --port 22 --cidr 0.0.0.0/0" + authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 22 --cidr ${SSH_CIDR}" + authorize-security-group-ingress "${NODE_SG_ID}" "--protocol tcp --port 22 --cidr ${SSH_CIDR}" # HTTPS to the master is allowed (for API access) - authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 443 --cidr 0.0.0.0/0" + authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 443 --cidr ${HTTP_API_CIDR}" # KUBE_USE_EXISTING_MASTER is used to add minions to an existing master if [[ "${KUBE_USE_EXISTING_MASTER:-}" == "true" ]]; then