security: convert NodePort to ClusterIP for better isolation

On some providers (notably: DigitalOcean) NodePort services are not exposed to the outside world. But this is not what the Kubernetes spec describes: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types Thus, there is a risk that NodePort services are exposed to the outside world in some context. To avoid this, we convert all NodePort to ClusterIP resources.
overhangio · Nov 29, 2021 · 87b67cb · 87b67cb
1 parent 5604cd4
commit 87b67cb
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,8 @@
 Note: Breaking changes between versions are indicated by "💥".
 
 ## Unreleased
+
+- [Security] On Kubernetes, convert all NodePort services to ClusterIP to guarantee network isolation from outside the cluster.
 - [Bugfix] Remove trailing slashes in docker-compose files for [compatibility with docker-compose v2 in WSL](https://github.com/docker/compose/issues/8558).
 - [Improvement] `settheme` now works with preview domain.
 

diff --git a/tutor/templates/k8s/services.yml b/tutor/templates/k8s/services.yml
@@ -21,7 +21,7 @@ kind: Service
 metadata:
   name: cms
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 8000
       protocol: TCP
@@ -35,7 +35,7 @@ kind: Service
 metadata:
   name: forum
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 4567
       protocol: TCP
@@ -49,7 +49,7 @@ kind: Service
 metadata:
   name: lms
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 8000
       protocol: TCP
@@ -63,7 +63,7 @@ kind: Service
 metadata:
   name: elasticsearch
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 9200
       protocol: TCP
@@ -77,7 +77,7 @@ kind: Service
 metadata:
   name: mongodb
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 27017
       protocol: TCP
@@ -91,7 +91,7 @@ kind: Service
 metadata:
   name: mysql
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 3306
       protocol: TCP
@@ -104,7 +104,7 @@ kind: Service
 metadata:
   name: nginx
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 80
       name: http
@@ -117,7 +117,7 @@ kind: Service
 metadata:
   name: redis
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: {{ REDIS_PORT }}
       protocol: TCP
@@ -131,11 +131,11 @@ kind: Service
 metadata:
   name: smtp
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 25
       protocol: TCP
   selector:
     app.kubernetes.io/name: smtp
 {% endif %}
-{{ patch("k8s-services") }}
+{{ patch("k8s-services") }}