Simplify security group management based on configure files - johnzheng1975/devops_way GitHub Wiki
There are lots of security group on AWS, they may change frequently per customers' requirements. This bring boring workload for devops. Also, manual management is easily to typo, and forget to recover.
Define a conf file in github, with a cronjob change related security group as soon as conf files changed.
$ cat frequentChangingConf.csv
who,ip
Simon home,101.88.2.90
Mike home,112.64.3.232
Jack home,101.86.4.233
$ ls
handle_sg.py frequentChangingConf.csv runHandle.sh
#crontab -e
# m h dom mon dow command
* * * * * /../runHandle.sh >> /root/runHanleAndCommit.log
Refer the code under: <... ...>
The code is not complex, the key point for this solution is: K8s application loadbalancer, classic loadbalancer manage the security group by itself, it will role back security group rules change automatically after your manual change. We need handle this.
For instance ec2_bastion, add two security group:
- connect_to_Bastion
Used for general and stable security group - connect_to_bastion_extra Used for frequently change rules based on conf file.
For classic load balancer created by kubernetes, you can configure as below:
ubuntu@ip-172-30-4-128:~$ k get svc -n kube-system normal-elb-service -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
... ...
service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: sg-06904743dba56a233
... ...
spec:
... ...
loadBalancerSourceRanges:
- 213.0.0.0/9
For loadBalancerSourceRanges under spec, make kubernetes generate security group, this is used for general and stable security group rules.
For aws-load-balancer-extra-security-groups under annotations, it will use an extra security group managed by yourself. This is used for manage the frequently changing security group rules, it is changed based on conf file. Note that you need allow this secruity group to access all ports of kubernetes nodes.
For application load balancer created by kubernetes ingress, you can configure as below:
$ k get ing -n istio-system vr-ingress -o yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
... ...
alb.ingress.kubernetes.io/security-groups: sg-0c899c89c594a90b9,sg-0eb4caaf49ed6a5fc
kubernetes.io/ingress.class: alb
... ...
For these two defined security group, it is created and managed by yourself. One is for stable security rules. Another is for frequent changing rules based on conf files. Note that you must allow these two security group to access all ports of kubernetes nodes.
Based on the security group managed by yourself, you can change the security group rules without being roll back. And, you can define your conf, to make management easily and conveniently.