Giter VIP home page Giter VIP logo

Comments (4)

janwillies avatar janwillies commented on June 27, 2024

This feature would be helpful for enterprise adoption

from pulumi-eks.

Josh-Tilles avatar Josh-Tilles commented on June 27, 2024

Something to consider when implementing this: it would be great if the library accounted for ensuring that the machine that it’s running on has access to the cluster API, probably via an additional extra security group rule or assertion. (See https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)

from pulumi-eks.

lukehoban avatar lukehoban commented on June 27, 2024

Something to consider when implementing this: it would be great if the library accounted for ensuring that the machine that it’s running on has access to the cluster API, probably via an additional extra security group rule or assertion. (See https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)

This is a great point. If public=false,private=true then the @pulumi/kuberentes API calls we make will not succeed by default. The two options I can think of are:

  1. Automatically add a SG ingress rule targetting the IP of the current machine (potentially NATed?)
  2. Ensure that users can provide a custom Cluster security group so that they can configure ingress with the CIDR blocks, IPs or other SGs they want to have access (and document that deployments will only be possible if done from an IP within one of these).

(2) would require some slightly non-trivial manual configuration - but should otherwise be reliable.

(1) is "automatic" but doesn't feel reliable - for one its subtly defeating security best-practices by default. But then also if deployments happen from different IPs (even different IPs within a single CI system), there will be unexpected churn in the deployment.

I think I'll solve for (2) for now, and we could explore (1) or some variant of it as an ease-of-use addon in the future if really needed (though I suspect that ease-of-use will not be aligned with private-only endpoint access :-)).

Thoughts?

from pulumi-eks.

metral avatar metral commented on June 27, 2024

I agree that option 2 is the best path forward.

I've added some comments in #154 (comment).

from pulumi-eks.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.