Whitelisting not working with AWS (deis 2.5.0) #512
Comments
|
I followed the instructions here: https://github.com/deis/workflow/blob/master/src/managing-workflow/security-considerations.md#ip-whitelist |
|
did you try setting the IP using X-Forwarded-For header. |
|
No, how would I do that? |
|
how are you testing whether it works or not......if you are using curl to test it out just add |
|
That still gets a 403 forbidden |
|
@dmcnaught if you wouldn't mind describing how you provisioned your platform, the example application used that is failing (if using one, if not would you mind deploying one to test against?) how you set up using |
|
My assumption is:
Is that correct? |
|
@bacongobbler Sure - we are currently using kube-up with some extra subnets for the minion ASG. |
|
ok: reproduced with example-go. Adding my ip to the whitelist results in 403 Forbidden. |
|
@dmcnaught did you enable proxy protocol on the aws elb and deis router(https://github.com/deis/router#annotations) Because only then will nginx can see the real client ip. |
|
Thanks for the tip - looks like I should do that. Only by reversing to false could I reach deis and the apps again: --- kubernetes/deis ‹master› » kubectl --namespace=deis annotate deployments/deis-router router.deis.io/nginx.useProxyProtocol=true --overwrite
deployment "deis-router" annotated
--- kubernetes/deis ‹master› » deis apps:list
=== Apps
example-go
wellbot
welltok-arch
--- kubernetes/deis ‹master› » deis apps:list
Error: Unknown Error (504):
--- kubernetes/deis ‹master› » deis apps:list 1 ↵
Error: Unknown Error (504):
--- kubernetes/deis ‹master› » kubectl --namespace=deis annotate deployments/deis-router router.deis.io/nginx.useProxyProtocol=false --overwrite
deployment "deis-router" annotated
--- kubernetes/deis ‹master› » deis apps:list
Error: Unknown Error (504):
--- kubernetes/deis ‹master› » deis apps:list 1 ↵
Error: Unknown Error (504):
--- kubernetes/deis ‹master› » deis apps:list 1 ↵
Error: Unknown Error (504):
--- kubernetes/deis ‹master› » deis apps:list 1 ↵
Error: Unknown Error (504):
--- kubernetes/deis ‹master› » deis apps:list 1 ↵
Error: Unknown Error (504):
--- kubernetes/deis ‹master› » deis apps:list 1 ↵
=== Apps
example-go
wellbot
welltok-arch |
|
did you enable the proxy protocol on the aws elb https://deis.com/docs/workflow/managing-workflow/configuring-load-balancers/#configuring-proxy-protocol |
|
No. Trying that: |
|
And to confirm you are on a kubernetes cluster that is at least v1.3.4, correct? |
|
which version of kubernetes are you on? |
|
1.3.5: |
|
the only other thing i did to make it work is add proxyrealipcidrs |
|
@kmala That command you sent an hour ago has got things working for me (right above), and I didn't even do the |
|
In fact Thanks for the fix. I guess we should add to the docs. |
@dmcnaught Proxy protocol support requires deis-router v2.6.2 or later to work properly. Did you give your ELB some time to apply the new configuration? If you run "BackendServerDescriptions": [
{
"InstancePort": 30523,
"PolicyNames": [
"k8s-proxyprotocol-enabled"
]
},
{
"InstancePort": 31166,
"PolicyNames": [
"k8s-proxyprotocol-enabled"
]
},
{
"InstancePort": 31252,
"PolicyNames": [
"k8s-proxyprotocol-enabled"
]
},
{
"InstancePort": 32157,
"PolicyNames": [
"k8s-proxyprotocol-enabled"
]
}
],Unless both your deis-router and ELB are speaking PROXY protocol your connections will be broken. |
|
Thanks @felixbuenemann - I do see that on the elb currently: When I do a I see I'll look into this a bit more when I upgrade another of our clusters to 2.5 and apply these configs. Maybe before if this thread inspires me 😄 |
|
@dmcnaught So you need to enable proxy protocol on your deis router using Btw. you don't need to upgrade your whole cluster to deis workflow 2.6.0, switching the deis-router to the 2.6.2 image will work fine on a 2.5.0 cluster (and probably older). You can edit the existing deployment with If you run into any problem you can always revert to the old image by reverting the change.
Deis Workflow 2.5 is too old, you need 2.6. Depending on how you VPC is configured you might also need to follow @kmala's advise and customise you |
|
Aaah - I kind of skipped over the 2.6.2 comment a little. You mean the reason it's not working for me, is that is doesn't work with earlier versions of the deis-router than 2.6.2... I haven't done extensive testing yet though - but one application seems to work fine so far. |
|
HTTP/HTTPS will work fine on deis-router < 2.6.2, but pushing new releases to the builder will fail, unless you are running 2.6.2, because of deis/router#263. |
|
I just upgraded my second cluster from 2.4.2 to 2.5.0. and re-associated my CNAME, added my cert to the ELB. and my cluster became unreachable. I left it for 30 minutes, and after that deis login and apps were still unreachable. I ran and within a minute or so my cluster and apps were reachable again. to see if that would help, but no difference. |
|
@dmcnaught when you say your cluster is becoming unreachabe when you enable |
|
@dmcnaught You wrote you added your cert to the ELB. Are you running your ELB in HTTP/HTTPS mode instead of TCP? If you are you should be using X-Forwarded-For instead of proxy protocol. The default setup uses TCP mode on the ELB and terminates http / https and ssh on the deis router, so your cert would be on the router not on the ELB. |
|
This is what I get when I try to login: and this whenI try to access the app: I'm also getting this message a lot (before and after |
|
@felixbuenemann Yes - I'm terminating ssl on the ELB |
|
@felixbuenemann How should I set X-Forwarded-For instead of proxy protocol? |
|
Well, terminating SSL on the ELB is a bad idea, because it breaks ALPN and as such HTTP/2 and your apps cannot distinguish between HTTPS and HTTP connection. You can theoretically configure port 80 on the ELB to HTTP, 443 to HTTPS and 2222 to TCP. In this case the ELB will add X-Forwarded-For, X-Forwarded-Proto headers, but you are pretty much on your own with the configuration and doing this through Kubernetes annotations likely requires K8s 1.4 (see kubernetes/kubernetes#26268). You also loose HTTP/2 in this case. If you want to save youself a lot of trouble, go with the default TCP mode ELB config and shell out some money for a non-acm wildcard ssl cert that you can configure on the deis router. Once you've moved SSL termination to the Deis Router and upgraded to 2.6 proxy protocol and whitelisting should both work fine. Btw. The warning you posted above is fixed in workflow 2.6.0. |
|
So - no plans to support whitelisting with SSL terminating on the ELB? 😞 |
|
@dmcnaught Technically you should be able to get it working, but it will require quite some fiddling. If you configure port 443 on the ELB to SSL mode and forward it to the HTTP port on the Deis router and forward 80 and 2222 in TCP mode you can use proxy portocol on all those ports which should get whitelisting working. This is what you could try:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:…
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
router.deis.io/nginx.useProxyProtocol: "true"
spec:
ports:
- containerPort: 8080
hostPort: 80
protocol: TCP
- containerPort: 8080
hostPort: 443
protocol: TCP
- containerPort: 2222
hostPort: 2222
protocol: TCP
- containerPort: 9090
hostPort: 9090
protocol: TCPIn theory the above should work (I can't try 'cause I'm still on K8s 1.3), but you will completely bypass deis' own certificate handling and the ability for your apps to differentiate between http and https. I don't think this will ever be an officially supported configuration, because this limits you to a single certificate on the ELB and all app specific domains have to be added as SAN entries on the same cert, while deis supports different certificates for each app in addition to the default wildcard platform cert. |
|
ok - we're still on 1.3 too, so I'll have to wait to try this until we go to 1.4 |
|
With regard to your most recent comment - if we put a wildcard cert on the ELB, there's no need to any other domains to be added (as SAN entries) - all apps can be served as SSL through the ELB by the deis-router in the wildcarded domain. It really is a great solution IMHO if you don't need ALPN/HTTP/2 and no desire to pay for a wildcard cert. I do have all the settings you specify above in 1.3 - except |
|
If you manually configure the ELB you risk loosing your modifications when kubernetes updates the ELB. I think this could be the reason why enabling proxy protocol on the router isn't working for you. Because if it was properly enabled on the ELB but disabled on the router, all connections should fail, but you are reporting the opposite behavior. |
|
I don't quite follow @felixbuenemann - I re-run the aws script that adds the cert to the ELB if a new ELB is created, or it loses the cert for another reason. |
|
ping, has this been resolved? |
|
We have a 1.4 cluster up here now, so I can test - I'll put it on my todo list. Thanks |
|
With Kubernetes 1.5.2 I can add an application specific whitelist with |
|
Whitelist can be removed with |
|
Oh - one other change - When I add the cert to the ELB, I delete the listeners on port 443 and port 80, and create a new listener on 443 pointing to the instanceport that 80 was connecting to.. |
|
I think we can consider this one closed then. Let's open separate tickets if there are other action items we need to fix/implement. Thanks! |
App specific whitelisting doesn't work for me with deis 2.5.0 unless I specify 0.0.0.0/0
Using my ip or CIDR including /32, /24, /16 doesn't work.
I went back to another cluster running 2.4.2, and it looks like the problem is also there deis-router level whitelist with 2.4.2.
router level whitelisting was working in 2.1, so maybe this is a regression?
Chatted about it with @kmala in Slack. Channel is a bit busy right now, so thought to open an issue to track.
The text was updated successfully, but these errors were encountered: