Simplify security group management based on configure files - johnzheng1975/devops_way GitHub Wiki

Challenge

There are lots of security group on AWS, they may change frequently per customers' requirements. This bring boring workload for devops. Also, manual management is easily to typo, and forget to recover.

Solution

Define a conf file in github, with a cronjob change related security group as soon as conf files changed.

$ cat frequentChangingConf.csv
who,ip
Simon home,101.88.2.90
Mike home,112.64.3.232
Jack home,101.86.4.233

$ ls
handle_sg.py  frequentChangingConf.csv  runHandle.sh

#crontab -e
# m h  dom mon dow   command
* * * * *  /../runHandle.sh >> /root/runHanleAndCommit.log

Refer the code under: <... ...>

The code is not complex, the key point for this solution is: K8s application loadbalancer, classic loadbalancer manage the security group by itself, it will role back security group rules change automatically after your manual change. We need handle this.

Best Practice of security group

EC2 Example

For instance ec2_bastion, add two security group:

  • connect_to_Bastion
    Used for general and stable security group
  • connect_to_bastion_extra Used for frequently change rules based on conf file.

Classic Load Balancer Example

For classic load balancer created by kubernetes, you can configure as below:

ubuntu@ip-172-30-4-128:~$ k get svc -n kube-system  normal-elb-service -o yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
  ... ...
    service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: sg-06904743dba56a233
  ... ...
spec:
  ... ...
  loadBalancerSourceRanges:
  - 213.0.0.0/9

For loadBalancerSourceRanges under spec, make kubernetes generate security group, this is used for general and stable security group rules.

For aws-load-balancer-extra-security-groups under annotations, it will use an extra security group managed by yourself. This is used for manage the frequently changing security group rules, it is changed based on conf file. Note that you need allow this secruity group to access all ports of kubernetes nodes.

Application Load Balancer Example

For application load balancer created by kubernetes ingress, you can configure as below:

$ k get ing -n istio-system  vr-ingress -o yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ... ...
    alb.ingress.kubernetes.io/security-groups: sg-0c899c89c594a90b9,sg-0eb4caaf49ed6a5fc
    kubernetes.io/ingress.class: alb
    ... ...

For these two defined security group, it is created and managed by yourself. One is for stable security rules. Another is for frequent changing rules based on conf files. Note that you must allow these two security group to access all ports of kubernetes nodes.

Summary

Based on the security group managed by yourself, you can change the security group rules without being roll back. And, you can define your conf, to make management easily and conveniently.

⚠️ **GitHub.com Fallback** ⚠️