Add NSG exceptional rules for the K8s master SSH service (#46)
* Add Jenkins IP to ACS NSG exception list * Allow public access to K8s master SSH service * Update comments and remove nsg setttings specific to Jenkins * Update README
This commit is contained in:
Родитель
f074255964
Коммит
f6984008ea
10
README.md
10
README.md
|
@ -93,6 +93,16 @@ In this basic layout, the following design decisions have been implemented:
|
|||
|
||||
**NOTE**: You can use either a subscription name or id when specifying which subscription to use; to obtain a list of your subscriptions, type `az account list`.
|
||||
|
||||
1. **For Microsoft developers**, we have network security group rules applied to the resources
|
||||
in the development subscriptions which restrict the network access from the internal CORP network.
|
||||
This blocks the SSH communications between the VM's provisioned in this project.
|
||||
|
||||
To workaround this, set the environment variable `MS_CORP` before you start the provision process:
|
||||
|
||||
```shell
|
||||
export MS_CORP=1
|
||||
```
|
||||
|
||||
1. Build an initial layout on Azure using an ARM template from using one of the following methods:
|
||||
|
||||
```shell
|
||||
|
|
|
@ -474,6 +474,41 @@ function deploy_jenkins()
|
|||
check_jenkins_readiness
|
||||
}
|
||||
|
||||
##############################################################################
|
||||
# Add network security group rule to allow the given IP to access the ACS
|
||||
# master SSH service.
|
||||
# Globals:
|
||||
# None
|
||||
# Arguments:
|
||||
# source_ip
|
||||
# resource_group
|
||||
# Returns:
|
||||
# None
|
||||
##############################################################################
|
||||
function allow_acs_nsg_access()
|
||||
{
|
||||
local source_ip=$1
|
||||
local resource_group=$2
|
||||
|
||||
local nsgs=($(az network nsg list --resource-group "$resource_group" --query '[].name' --output tsv | grep -e "^k8s-master-"))
|
||||
local port_range=22
|
||||
if [ "$source_ip" = Internet ]; then
|
||||
# web job deletes the rule if the port is set to 22 for wildcard internet access
|
||||
port_range="21-23"
|
||||
fi
|
||||
for nsg in "${nsgs[@]}"; do
|
||||
local name="allow_$source_ip"
|
||||
# used a fixed priority here
|
||||
local max_priority="$(az network nsg rule list -g "$resource_group" --nsg-name "$nsg" --query '[].priority' --output tsv | sort -n | tail -n1)"
|
||||
local priority="$(expr "$max_priority" + 50)"
|
||||
log_info "Add allow $source_ip rules to NSG $nsg in resource group $resource_group, with priority $priority"
|
||||
az network nsg rule create --priority "$priority" --destination-port-ranges "$port_range" --resource-group "$resource_group" \
|
||||
--nsg-name "$nsg" --name "$name" --source-address-prefixes "$source_ip"
|
||||
#az network nsg rule create --priority "$priority" --destination-port-ranges 22 --resource-group "$resource_group" \
|
||||
# --nsg-name "$nsg" --name "$name" --source-address-prefixes "$source_ip"
|
||||
done
|
||||
}
|
||||
|
||||
##############################################################################
|
||||
# Create secrets in Kubernetes for Jenkins
|
||||
# Globals:
|
||||
|
|
|
@ -64,6 +64,17 @@ wait_till_kubernetes_created ${w_eu_group} ${ACS_NAME}
|
|||
wait_till_kubernetes_created ${jenkins_group} ${ACS_NAME}
|
||||
[[ $? -ne 0 ]] && return 1
|
||||
|
||||
if [[ -n "$MS_CORP" ]]; then
|
||||
# For MS developers, all the VM provisioned will be applied with NSG rules to allow
|
||||
# access only from internal CORP network. This will block the access between the
|
||||
# VMs provisioned for the project, so Jenkins slaves will not be able to access
|
||||
# the ACS master node through SSH port.
|
||||
# This is a fix to this problem.
|
||||
allow_acs_nsg_access "Internet" "${e_us_group}"
|
||||
allow_acs_nsg_access "Internet" "${w_eu_group}"
|
||||
allow_acs_nsg_access "Internet" "${jenkins_group}"
|
||||
fi
|
||||
|
||||
wait_till_deployment_created ${c_group} master
|
||||
[[ $? -ne 0 ]] && return 1
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче