Use separate security group for the API ELB

Question

Use separate security group for the API ELB

nhlfr opened this issue 7 years ago · comments

Currently the API ELB is in the masters security group. Moving it to a separate security group means only the API ELB needs to be 0.0.0.0/0

This is part of the security changes but can be implemented before we restrict the port access.

xh3b4sd · Answer 1 · Wed Sep 13 2017 01:04:07 GMT+0800 (China Standard Time)

@rossf7 can you shed some light on this? Is this still valid?

Ross Fairbanks · Answer 2 · Wed Sep 13 2017 01:20:13 GMT+0800 (China Standard Time)

Yes, I think we still need this. This means only the API ELB needs to be 0.0.0.0/0 and we restrict the master node to connections from the ELB and workers sec groups.

Ping @teemow is this part of guest cluster lockdown?

Timo Derstappen · Answer 3 · Wed Sep 13 2017 15:06:27 GMT+0800 (China Standard Time)

yes this is part of https://github.com/giantswarm/giantswarm/issues/1803

xh3b4sd · Answer 4 · Wed Sep 13 2017 15:44:26 GMT+0800 (China Standard Time)

Then lets close this one here.