Merge pull request #276 from MattiasGees/198-admin-cidr

simonswine · web-flow · commit dccb1b7821e5 · 2018-06-14T14:17:03.000+01:00
Secure endpoints to only allow certain cidr blocks
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
@@ -65,6 +65,7 @@ Jenkins
 prepended
 username
 loopback
+CIDR
 addons
 autoscaler
 prometheus
diff --git a/docs/user-guide.rst b/docs/user-guide.rst
@@ -413,6 +413,67 @@ configuration like that:
       enabled: true
       externalScrapeTargetsOnly: true
 
+Secure public endpoints
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Public endpoints (Jenkins, bastion host and if enabled apiserver) can be secured
+by limiting the access to a list of CIDR blocks. This can be configured on a
+environment level for all public endpoint and if wanted can be overwritten on a
+specific public endpoint.
+
+Environment level
++++++++++++++++++
+
+This can be done by adding an ``adminCIDRs`` list to an environments block,
+if nothing has been set, the default is 0.0.0.0/0:
+
+.. code-block:: yaml
+
+    environments:
+    - contact: hello@example.com
+      location: eu-west-1
+      metadata:
+        name: example
+      privateZone: example.local
+      project: example-project
+      provider: aws
+      adminCIDRs:
+      - x.x.x.x/32
+      - y.y.y.y/24
+
+Jenkins and bastion host
+++++++++++++++++++++++++
+
+The environment level can be overwritten for Jenkins and bastion host
+by adding ``allowCIDRs`` in the instance pool block:
+
+.. code-block:: yaml
+
+  instancePools:
+  - image: centos-puppet-agent
+    allowCIDRs:
+    - x.x.x.x/32
+    maxCount: 1
+    metadata:
+      name: jenkins
+    minCount: 1
+    size: large
+    type: jenkins
+
+
+API Server
+++++++++++
+
+For API server you can overwrite the environment level by adding ``allowCIDRs``
+to the kubernetes block
+
+.. code-block:: yaml
+
+  kubernetes:
+    apiServer:
+        public: true
+        allowCIDRs:
+        - y.y.y.y/24
 
 Additional IAM policies
 ~~~~~~~~~~~~~~~~~~~~~~~
@@ -459,4 +520,4 @@ It is possible to add extra policies to only a specific instance pool.
       zone: eu-west-1b
     - metadata:
       zone: eu-west-1c
-    type: worker
+    type: worker
diff --git a/pkg/apis/cluster/v1alpha1/cluster.go b/pkg/apis/cluster/v1alpha1/cluster.go
@@ -103,7 +103,8 @@ type ClusterKubernetesDashboard struct {
 
 type ClusterKubernetesAPIServer struct {
 	// expose the API server through a public load balancer
-	Public bool `json:"public,omitempty"`
+	Public     bool     `json:"public,omitempty"`
+	AllowCIDRs []string `json:"allowCIDRs,omitempty"`
 
 	// OIDC
 	OIDC *ClusterKubernetesAPIServerOIDC `json:"oidc,omitempty"`
diff --git a/pkg/apis/cluster/v1alpha1/instancepool.go b/pkg/apis/cluster/v1alpha1/instancepool.go
@@ -55,6 +55,7 @@ type InstancePool struct {
 	Firewalls         []*Firewall             `json:"firewalls,omitempty"`
 	Volumes           []Volume                `json:"volumes,omitempty"`
 	Kubernetes        *InstancePoolKubernetes `json:"kubernetes,omitempty"`
+	AllowCIDRs        []string                `json:"allowCIDRs,omitempty"`
 
 	// Amazon specific settings for that instance pool
 	Amazon *InstancePoolAmazon `json:"amazon,omitempty"`
diff --git a/pkg/apis/tarmak/v1alpha1/defaults.go b/pkg/apis/tarmak/v1alpha1/defaults.go
@@ -24,6 +24,10 @@ func SetDefaults_Environment(obj *Environment) {
 	if obj.PrivateZone == "" {
 		obj.PrivateZone = "tarmak.local"
 	}
+
+	if obj.AdminCIDRs == nil {
+		obj.AdminCIDRs = append(obj.AdminCIDRs, "0.0.0.0/0")
+	}
 }
 
 func SetDefaults_Config(obj *Config) {
diff --git a/pkg/apis/tarmak/v1alpha1/types.go b/pkg/apis/tarmak/v1alpha1/types.go
@@ -90,6 +90,7 @@ type Environment struct {
 	Location    string               `json:"location,omitempty"`
 	SSH         *clusterv1alpha1.SSH `json:"ssh,omitempty"`
 	PrivateZone string               `json:"privateZone,omitempty"`
+	AdminCIDRs  []string             `json:"adminCIDRs,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
diff --git a/pkg/tarmak/cluster/cluster.go b/pkg/tarmak/cluster/cluster.go
@@ -147,8 +147,13 @@ func validateClusterTypes(poolMap map[string][]*clusterv1alpha1.InstancePool, cl
 
 // validate server pools
 func (c *Cluster) validateInstancePools() (result error) {
-	return nil
-	//return fmt.Errorf("refactore me!")
+	for _, instancePool := range c.InstancePools() {
+		err := instancePool.Validate()
+		if err != nil {
+			result = multierror.Append(result, err)
+		}
+	}
+	return result
 }
 
 // Verify cluster
@@ -189,6 +194,15 @@ func (c *Cluster) Validate() (result error) {
 		result = multierror.Append(result, err)
 	}
 
+	//validate apiserver
+	if k := c.Config().Kubernetes; k != nil {
+		if apiServer := k.APIServer; apiServer != nil {
+			if err := c.validateAPIServer(); err != nil {
+				result = multierror.Append(result, err)
+			}
+		}
+	}
+
 	return result
 }
 
@@ -235,6 +249,18 @@ func (c *Cluster) validateLoggingSinks() (result error) {
 	return nil
 }
 
+// Validate APIServer
+func (c *Cluster) validateAPIServer() (result error) {
+	for _, cidr := range c.Config().Kubernetes.APIServer.AllowCIDRs {
+		_, _, err := net.ParseCIDR(cidr)
+		if err != nil {
+			result = multierror.Append(result, fmt.Errorf("%s is not a valid CIDR format", cidr))
+		}
+	}
+
+	return result
+}
+
 // Determine if this Cluster is a cluster or hub, single or multi environment
 func (c *Cluster) Type() string {
 	if c.conf.Type != "" {
@@ -392,6 +418,11 @@ func (c *Cluster) Variables() map[string]interface{} {
 		if ok {
 			output[fmt.Sprintf("%s_ami", instancePool.TFName())] = ids
 		}
+		if instancePool.Config().AllowCIDRs != nil {
+			output[fmt.Sprintf("%s_admin_cidrs", instancePool.TFName())] = instancePool.Config().AllowCIDRs
+		} else {
+			output[fmt.Sprintf("%s_admin_cidrs", instancePool.TFName())] = c.environment.Config().AdminCIDRs
+		}
 		output[fmt.Sprintf("%s_min_instance_count", instancePool.TFName())] = instancePool.Config().MinCount
 		output[fmt.Sprintf("%s_max_instance_count", instancePool.TFName())] = instancePool.Config().MaxCount
 	}
@@ -426,6 +457,17 @@ func (c *Cluster) Variables() map[string]interface{} {
 		}
 	}
 
+	// Get Apiserver valid admin cidrs
+	if k := c.Config().Kubernetes; k != nil {
+		if apiServer := k.APIServer; apiServer != nil && apiServer.AllowCIDRs != nil {
+			output["api_admin_cidrs"] = apiServer.AllowCIDRs
+		} else {
+			output["api_admin_cidrs"] = c.environment.Config().AdminCIDRs
+		}
+	} else {
+		output["api_admin_cidrs"] = c.environment.Config().AdminCIDRs
+	}
+
 	// publish changed private zone
 	if privateZone := c.Environment().Config().PrivateZone; privateZone != "" {
 		output["private_zone"] = privateZone
diff --git a/pkg/tarmak/environment/environment.go b/pkg/tarmak/environment/environment.go
@@ -17,6 +17,8 @@ import (
 	"golang.org/x/crypto/ssh"
 	"k8s.io/client-go/rest"
 
+	"net"
+
 	clusterv1alpha1 "github.com/jetstack/tarmak/pkg/apis/cluster/v1alpha1"
 	tarmakv1alpha1 "github.com/jetstack/tarmak/pkg/apis/tarmak/v1alpha1"
 	"github.com/jetstack/tarmak/pkg/tarmak/cluster"
@@ -275,14 +277,27 @@ func (e *Environment) Log() *logrus.Entry {
 	return e.log
 }
 
-func (e *Environment) Validate() error {
-	var result error
+func (e *Environment) Validate() (result error) {
 
-	err := e.Provider().Validate()
-	if err != nil {
+	if err := e.Provider().Validate(); err != nil {
 		result = multierror.Append(result, err)
 	}
 
+	if err := e.ValidateAdminCIDRs(); err != nil {
+		result = multierror.Append(result, err)
+	}
+
+	return result
+}
+
+func (e *Environment) ValidateAdminCIDRs() (result error) {
+	for _, cidr := range e.Config().AdminCIDRs {
+		_, _, err := net.ParseCIDR(cidr)
+		if err != nil {
+			result = multierror.Append(result, fmt.Errorf("%s is not a valid CIDR format", cidr))
+		}
+	}
+
 	return result
 }
 
diff --git a/pkg/tarmak/instance_pool/instance_pool.go b/pkg/tarmak/instance_pool/instance_pool.go
@@ -14,6 +14,7 @@ import (
 	"github.com/jetstack/tarmak/pkg/tarmak/interfaces"
 	"github.com/jetstack/tarmak/pkg/tarmak/role"
 	"github.com/jetstack/tarmak/pkg/tarmak/utils"
+	"net"
 )
 
 var _ interfaces.InstancePool = &InstancePool{}
@@ -185,3 +186,18 @@ func (n *InstancePool) AmazonAdditionalIAMPolicies() string {
 
 	return fmt.Sprintf("[%s]", strings.Join(policies, ","))
 }
+
+func (n *InstancePool) Validate() (result error) {
+	return n.ValidateAllowCIDRs()
+}
+
+func (e *InstancePool) ValidateAllowCIDRs() (result error) {
+	for _, cidr := range e.Config().AllowCIDRs {
+		_, _, err := net.ParseCIDR(cidr)
+		if err != nil {
+			result = multierror.Append(result, fmt.Errorf("%s is not a valid CIDR format", cidr))
+		}
+	}
+
+	return result
+}
diff --git a/pkg/tarmak/interfaces/interfaces.go b/pkg/tarmak/interfaces/interfaces.go
@@ -248,6 +248,7 @@ type InstancePool interface {
 	Role() *role.Role
 	Volumes() []Volume
 	Zones() []string
+	Validate() error
 	MinCount() int
 	MaxCount() int
 }
diff --git a/terraform/amazon/modules/bastion/bastion.tf b/terraform/amazon/modules/bastion/bastion.tf
@@ -67,7 +67,7 @@ resource "aws_security_group_rule" "ingress_allow_ssh_all" {
   protocol          = "tcp"
   from_port         = 22
   to_port           = 22
-  cidr_blocks       = ["${var.admin_ips}"]
+  cidr_blocks       = ["${var.bastion_admin_cidrs}"]
   security_group_id = "${aws_security_group.bastion.0.id}"
 }
 
diff --git a/terraform/amazon/modules/bastion/inputs.tf b/terraform/amazon/modules/bastion/inputs.tf
@@ -16,7 +16,7 @@ variable "public_subnet_ids" {
 variable "key_name" {}
 variable "bastion_root_size" {}
 # TODO: restrict to admin IPs
-variable "admin_ips" {
+variable "bastion_admin_cidrs" {
   type    = "list"
 }
 # data.terraform_remote_state.state.public_zone_id
diff --git a/terraform/amazon/modules/jenkins/inputs.tf b/terraform/amazon/modules/jenkins/inputs.tf
@@ -30,9 +30,6 @@ variable "jenkins_ebs_size" {}
 
 variable "certificate_arn" {}
 
-variable "admin_ips" {
-  type = "list"
-}
 
 variable "public_zone_id" {}
 
@@ -43,3 +40,7 @@ variable "name" {}
 variable "availability_zones" {
   type = "list"
 }
+
+variable "jenkins_admin_cidrs" {
+  type = "list"
+}
diff --git a/terraform/amazon/modules/kubernetes/inputs.tf b/terraform/amazon/modules/kubernetes/inputs.tf
@@ -56,6 +56,10 @@ variable "availability_zones" {
   type = "list"
 }
 
+variable "api_admin_cidrs" {
+  type = "list"
+}
+
 variable "vpc_id" {}
 
 variable "private_zone_id" {}
diff --git a/terraform/amazon/templates/inputs.tf.template b/terraform/amazon/templates/inputs.tf.template
@@ -94,11 +94,13 @@ variable "jenkins_ebs_size" {
 variable "jenkins_certificate_arn" {
   default = ""
 }
+variable "jenkins_admin_cidrs" {
+  type    = "list"
+}
 {{ end -}}
-# TODO: restrict to admin IPs
-variable "admin_ips" {
+
+variable "bastion_admin_cidrs" {
   type    = "list"
-  default = ["0.0.0.0/0"]
 }
 
 # vault
@@ -128,6 +130,9 @@ variable "bucket_prefix" {}
 variable "kubernetes_master_ami" {}
 variable "kubernetes_worker_ami" {}
 variable "kubernetes_etcd_ami" {}
+variable "api_admin_cidrs" {
+    type = "list"
+}
 variable "tools_cluster_name" {
   default = "hub"
 }
diff --git a/terraform/amazon/templates/instance_pools/role_security_group.tf.template b/terraform/amazon/templates/instance_pools/role_security_group.tf.template
@@ -56,7 +56,7 @@ resource "aws_security_group_rule" "{{.TFName}}_elb_public_ingress_allow_all_api
   protocol          = "tcp"
   from_port         = 443
   to_port           = 443
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["${var.api_admin_cidrs}"]
   security_group_id = "${aws_security_group.{{.TFName}}_elb_public.id}"
 }
 {{ end -}}
diff --git a/terraform/amazon/templates/jenkins_elb.tf.template b/terraform/amazon/templates/jenkins_elb.tf.template
@@ -26,7 +26,7 @@ resource "aws_security_group_rule" "jenkins_elb_ingress_allow_admins" {
   from_port         = 80
   to_port           = 80
 {{ end }}
-  cidr_blocks       = ["${var.admin_ips}"]
+  cidr_blocks       = ["${var.jenkins_admin_cidrs}"]
   security_group_id = "${aws_security_group.jenkins_elb.id}"
 }
 
diff --git a/terraform/amazon/templates/modules.tf.template b/terraform/amazon/templates/modules.tf.template

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,10 @@ func SetDefaults_Environment(obj *Environment) {`
`24`	`24`	`if obj.PrivateZone == "" {`
`25`	`25`	`obj.PrivateZone = "tarmak.local"`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+ if obj.AdminCIDRs == nil {`
	`29`	`+ obj.AdminCIDRs = append(obj.AdminCIDRs, "0.0.0.0/0")`
	`30`	`+ }`
`27`	`31`	`}`
`28`	`32`
`29`	`33`	`func SetDefaults_Config(obj *Config) {`
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,7 @@ type Environment struct {`
`90`	`90`	Location string `json:"location,omitempty"`
`91`	`91`	SSH *clusterv1alpha1.SSH `json:"ssh,omitempty"`
`92`	`92`	PrivateZone string `json:"privateZone,omitempty"`
	`93`	+ AdminCIDRs []string `json:"adminCIDRs,omitempty"`
`93`	`94`	`}`
`94`	`95`
`95`	`96`	`// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object`
Original file line number	Diff line number	Diff line change
`@@ -248,6 +248,7 @@ type InstancePool interface {`
`248`	`248`	`Role() *role.Role`
`249`	`249`	`Volumes() []Volume`
`250`	`250`	`Zones() []string`
	`251`	`+ Validate() error`
`251`	`252`	`MinCount() int`
`252`	`253`	`MaxCount() int`
`253`	`254`	`}`