Skip to content
This repository has been archived by the owner on Feb 5, 2020. It is now read-only.

use explicit ports in security groups #248

Closed
sym3tri opened this issue Apr 17, 2017 · 2 comments
Closed

use explicit ports in security groups #248

sym3tri opened this issue Apr 17, 2017 · 2 comments
Assignees
@alexsomesan
Labels
platform/aws
Milestone
AWS is stable

Comments

@sym3tri
Copy link
Contributor

sym3tri commented Apr 17, 2017

dont use wildcards
@sym3tri sym3tri added this to the AWS is stable milestone Apr 17, 2017
@philips
Copy link
Contributor

philips commented Apr 17, 2017

Essentially use this as the guide: https://github.com/coreos/tectonic-installer/blob/master/Documentation/generic-platform.md

@philips
Copy link
Contributor

philips commented Apr 17, 2017

@aaronlevy does that list still look correct.

@alexsomesan alexsomesan self-assigned this Apr 18, 2017
@alexsomesan alexsomesan mentioned this issue Apr 18, 2017
Closed
s-urbaniak pushed a commit to s-urbaniak/tectonic-installer that referenced this issue Apr 19, 2017
modules/aws: tighten security groups
7b84874 
Currently masters and workers share a pretty open security group.
Furthermore workers expose ingress traffic at critical k8s ports like
10250 and 10255.

This fixes it by removing the common cluster default security group and
specifying separate ingress/egress rules reflecting settings from the
current tectonic installer.

It also assigns only one security group for masters and workers.

Fixes coreos#248, coreos#243
@s-urbaniak s-urbaniak mentioned this issue Apr 19, 2017
Merged
s-urbaniak pushed a commit to s-urbaniak/tectonic-installer that referenced this issue Apr 19, 2017
modules/aws: tighten security groups
43d0c35 
Currently masters and workers share a pretty open security group.
Furthermore workers expose ingress traffic at critical k8s ports like
10250 and 10255.

This fixes it by removing the common cluster default security group and
specifying separate ingress/egress rules reflecting settings from the
current tectonic installer.

It also assigns only one security group for masters and workers.

Fixes coreos#248, coreos#243, coreos#227
alexsomesan pushed a commit that referenced this issue Apr 19, 2017
@alexsomesan
modules/aws: tighten security groups (#264)
b620c16 
* modules/aws: tighten security groups

Currently masters and workers share a pretty open security group.
Furthermore workers expose ingress traffic at critical k8s ports like
10250 and 10255.

This fixes it by removing the common cluster default security group and
specifying separate ingress/egress rules reflecting settings from the
current tectonic installer.

It also assigns only one security group for masters and workers.

Fixes #248, #243, #227

* Documentation/generic-platform: change flannel port to 4789

... because that one is configured and recommended since it is the IANA
based one. Tools like tcpdump then decode vxlan packets natively.

The old port (8472) is retained as the default port in the kernel for
backwards compatibility purposes only, see [1].

Other projects also switched to the new IANA assigned port.

[1] http://lxr.free-electrons.com/source/drivers/net/vxlan.c#L43
@sym3tri sym3tri mentioned this issue Aug 7, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@alexsomesan alexsomesan

Labels
platform/aws
Projects
None yet
Milestone
AWS is stable
Development

No branches or pull requests
3 participants
@philips @sym3tri @alexsomesan