kismatic
kismatic copied to clipboard
Provisioner: Use a bastion node for cluster installation
Exactly what it looks like. Currently, we expose a public IP and port 22 on all nodes, and this is an obvious security risk.
The easiest potential fix here is to just run KET from the bastion. However, the terraform/ket2.0 work would still bring up machines that have firewall settings as if you were creating clusters from outside the cloud provider. Ultimately, you can still edit the firewall/security settings manually after bringing up the cluster, but it's pretty large hassle. This is a significant amount of work to fix, and I think a relatively high priority, considering we're touting this thing as "production grade". Will leave open, but not sure where this is going next.