diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh index 4b8f323a86..5e64eb01a2 100644 --- a/cluster/aws/config-default.sh +++ b/cluster/aws/config-default.sh @@ -88,6 +88,8 @@ NON_MASQUERADE_CIDR="${NON_MASQUERADE_CIDR:-10.0.0.0/8}" # Traffic to IPs outsid SERVICE_CLUSTER_IP_RANGE="${SERVICE_CLUSTER_IP_RANGE:-10.0.0.0/16}" # formerly PORTAL_NET CLUSTER_IP_RANGE="${CLUSTER_IP_RANGE:-10.244.0.0/16}" MASTER_IP_RANGE="${MASTER_IP_RANGE:-10.246.0.0/24}" +SSH_CIDR="${SSH_CIDR:-0.0.0.0/0}" # IP to restrict ssh access to nodes/master +HTTP_API_CIDR="${HTTP_API_CIDR:-0.0.0.0/0}" # IP to restrict HTTP API access # If set to an Elastic IP address, the master instance will be associated with this IP. # Otherwise a new Elastic IP will be acquired # (We used to accept 'auto' to mean 'allocate elastic ip', but that is now the default) diff --git a/cluster/aws/util.sh b/cluster/aws/util.sh index 80170c5f27..b09378f93d 100755 --- a/cluster/aws/util.sh +++ b/cluster/aws/util.sh @@ -1006,14 +1006,12 @@ function kube-up { authorize-security-group-ingress "${MASTER_SG_ID}" "--source-group ${NODE_SG_ID} --protocol all" authorize-security-group-ingress "${NODE_SG_ID}" "--source-group ${MASTER_SG_ID} --protocol all" - # TODO(justinsb): Would be fairly easy to replace 0.0.0.0/0 in these rules - # SSH is open to the world - authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 22 --cidr 0.0.0.0/0" - authorize-security-group-ingress "${NODE_SG_ID}" "--protocol tcp --port 22 --cidr 0.0.0.0/0" + authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 22 --cidr ${SSH_CIDR}" + authorize-security-group-ingress "${NODE_SG_ID}" "--protocol tcp --port 22 --cidr ${SSH_CIDR}" # HTTPS to the master is allowed (for API access) - authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 443 --cidr 0.0.0.0/0" + authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 443 --cidr ${HTTP_API_CIDR}" # KUBE_USE_EXISTING_MASTER is used to add minions to an existing master if [[ "${KUBE_USE_EXISTING_MASTER:-}" == "true" ]]; then