Add NSG exceptional rules for the K8s master SSH service (#46)

* Add Jenkins IP to ACS NSG exception list * Allow public access to K8s master SSH service * Update comments and remove nsg setttings specific to Jenkins * Update README
2017-11-20 11:27:30 +08:00 · 2017-11-20 11:27:30 +08:00 · f6984008ea
--- a/README.md
+++ b/README.md
@ -93,6 +93,16 @@ In this basic layout, the following design decisions have been implemented:

   **NOTE**: You can use either a subscription name or id when specifying which subscription to use; to obtain a list of your subscriptions, type `az account list`.

+1. **For Microsoft developers**, we have network security group rules applied to the resources
+   in the development subscriptions which restrict the network access from the internal CORP network. 
+   This blocks the SSH communications between the VM's provisioned in this project.
+
+   To workaround this, set the environment variable `MS_CORP` before you start the provision process:
+
+   ```shell
+   export MS_CORP=1
+   ```
+
 1. Build an initial layout on Azure using an ARM template from using one of the following methods:

   ```shell
--- a/deployment/lib.sh
+++ b/deployment/lib.sh
@ -474,6 +474,41 @@ function deploy_jenkins()
  check_jenkins_readiness
 }

+##############################################################################
+# Add network security group rule to allow the given IP to access the ACS
+# master SSH service.
+# Globals:
+#   None
+# Arguments:
+#   source_ip
+#   resource_group
+# Returns:
+#   None
+##############################################################################
+function allow_acs_nsg_access()
+{
+  local source_ip=$1
+  local resource_group=$2
+
+  local nsgs=($(az network nsg list --resource-group "$resource_group" --query '[].name' --output tsv | grep -e "^k8s-master-"))
+  local port_range=22
+  if [ "$source_ip" = Internet ]; then
+    # web job deletes the rule if the port is set to 22 for wildcard internet access
+    port_range="21-23"
+  fi
+  for nsg in "${nsgs[@]}"; do
+    local name="allow_$source_ip"
+    # used a fixed priority here
+    local max_priority="$(az network nsg rule list -g "$resource_group" --nsg-name "$nsg" --query '[].priority' --output tsv | sort -n | tail -n1)"
+    local priority="$(expr "$max_priority" + 50)"
+    log_info "Add allow $source_ip rules to NSG $nsg in resource group $resource_group, with priority $priority"
+    az network nsg rule create --priority "$priority" --destination-port-ranges "$port_range" --resource-group "$resource_group" \
+        --nsg-name "$nsg" --name "$name" --source-address-prefixes "$source_ip"
+    #az network nsg rule create --priority "$priority" --destination-port-ranges 22 --resource-group "$resource_group" \
+    #    --nsg-name "$nsg" --name "$name" --source-address-prefixes "$source_ip"
+  done
+}
+
 ##############################################################################
 # Create secrets in Kubernetes for Jenkins
 # Globals:
--- a/deployment/provision.sh
+++ b/deployment/provision.sh
@ -64,6 +64,17 @@ wait_till_kubernetes_created ${w_eu_group} ${ACS_NAME}
 wait_till_kubernetes_created ${jenkins_group} ${ACS_NAME}
 [[ $? -ne 0 ]] && return 1

+if [[ -n "$MS_CORP" ]]; then
+  # For MS developers, all the VM provisioned will be applied with NSG rules to allow
+  # access only from internal CORP network. This will block the access between the
+  # VMs provisioned for the project, so Jenkins slaves will not be able to access
+  # the ACS master node through SSH port.
+  # This is a fix to this problem.
+  allow_acs_nsg_access "Internet" "${e_us_group}"
+  allow_acs_nsg_access "Internet" "${w_eu_group}"
+  allow_acs_nsg_access "Internet" "${jenkins_group}"
+fi
+
 wait_till_deployment_created ${c_group} master
 [[ $? -ne 0 ]] && return 1