-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS EC2 provisioner opening port 2376 on existing security group open to 0.0.0.0/0 #24337
Comments
Able to reproduce this on
Result:
|
2376 is docker port, and is required for Rancher to work to be able to talk to the host. |
@sowmyav27 I am aware of the requirements. I believe when a custom/existing group is used, it should not be modified in any way. The owner takes the responsibility at this point to ensure all the setup is done right as per https://rancher.com/docs/rancher/v2.x/en/installation/references/. As it stands right now, EC2 provisioner is compromising the security of my setup. On the side, opening the docker port 2376 to the whole world raises a red flag in my head. I am looking forward to hear back. Thanks! |
Currently docker machine provides an option not to modify the security group(docker/machine#4490). It would be great if rancher provides the option also. |
Having the same issues on our RKE / EC2 clusters. How do we make it stop modifying custom groups on changes? v2.4.5, FYI. |
This issue still exists. When working with Terraform + Rancher it would be ideal if Rancher doesn't mess up the security groups. I tried removing Rancher's permission to add Rules but then everything fails; it won't add machines if it can't add rules, even tho they already exist. Also, if you assign more than one SG, it will add the same rules everywhere. |
Can leverage this flag: https://github.com/docker/machine/blob/master/drivers/amazonec2/amazonec2.go#L167. Still need to investigate into the design options (UI requirements?) |
I was able to reproduce this on rancher:v2.3.3 and rancher:v2.5.4 Create cluster using the AWS EC2 provisioner, select an existing security group while creating the node template. (all open) check if TCP 2376, TCP 22 source 0.0.0.0/0 already exist in the inbound rule, remove them. Then provision the cluster. Result: inbound rule for the TCP 2376, TCP 22 source 0.0.0.0/0 are added |
Inbound rules that are added to an existing security group:
Both of these rules are created for Node management purposes. If we made changes to prevent these rules from being added to security groups, it would result in node provisioning operations failing, unless the existing security group already specified these required rules. For this reason, instead of removing the logic to add these, we should instead warn users they will be added to their existing security group via the UI. For EC2 Node Templates, under section |
Hello Rancher Dev Team, I would appreciate it if this issue was prioritised instead of removed from every milestone since it affected our security score. Having security groups allowing ports from anywhere is not the best practice. |
Hey @cloudnautique do you want to have a design meeting regarding this specific issue? I know that @ryansann did some research and determined that it was designed to be setup this way, so we don't necessarily want to make any changes without consulting the original intent. |
Design discussion about this issue happened and we are going to stop Rancher from opening ports 22/2376 on user-provided security groups. The fix is likely to move this code under the |
Root causeRancher machine would try to check (in a very unsophisticated way) if ports 22 and 2376 were open on the security group before updating the security group to open them. Because this check was very simple, it led to those ports nearly always being opened. What was fixed, or what changes have occurredNow, rancher-machine will only open these ports if the user is using the rancher-node security group. Areas or cases that should be tested
What areas could experience regressions?If a user provides a security that does not allow ports 22 or 2376, then provisioning will fail. This is expected and documentation is being added to cover this new behavior. Are the repro steps accurate/minimal?Yes. |
Setup For Validation Validation steps Test Case 1:
Test Case 2:
Results Setup For Reproduction Steps For Reproduction
|
Hi!
Steps
Create cluster using the AWS EC2 provisioner, select an existing security group.
Result
Existing security group is modified - an inbound rule for the TCP 2376, TCP 22 source 0.0.0.0/0 are added!
Expected
Existing security group is not modified.
Using the Rancher 2.3.3.
gz#12865
gz#15820
SURE-2505, SURE-2860, SURE-3771
The text was updated successfully, but these errors were encountered: