Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get BwdServer into production #4911

Closed
34 of 42 tasks
pbiggar opened this issue May 31, 2023 · 2 comments
Closed
34 of 42 tasks

Get BwdServer into production #4911

pbiggar opened this issue May 31, 2023 · 2 comments

Comments

@pbiggar
Copy link
Member

pbiggar commented May 31, 2023
edited
Loading

  • make terraform match production
  • add dark repo to gcp oidc via TF
  • add cockroach serverless project
  • create new accounts and move them into google secrets
    • rollbar project
    • honeycomb bucket
    • pusher
    • pubsub
    • traces-cloud-storage
    • container names
    • db
    • launchdarkly project (clone it)
    • google secrets
    • anything in config/gke-builtwithdark
  • build bwd container in CI
  • push bwd container in CI
  • add cloud run settings in TF
  • update CI to change TF container
  • figure out tunnel2 settings/replacement
    • iptables: iptables -A OUTPUT -d metadata.google.internal -j DROP (note doesnt work if IP changes)
    • disable requests with the google cloud metadata thing
    • reduce access of service account to nothing
    • disallow connections from httpclient to
      • 10.x
      • 169.254.0.0/16
      • 10.0.0.0/8
      • 172.16.0.0/12
      • 192.168.0.0/16
      • 127.0.0.0/8
      • tests
      • ipv6 tests
    • disallow host names in httpclient
      • 10.x
      • 169.254.0.0/16
      • 10.0.0.0/8
      • 172.16.0.0/12
      • 192.168.0.0/16
      • 127.0.0.0/8
      • speicifically metadata.google.internal (case insensitive check)
      • tests
    • test each rule works manually
  • remove 404 handling and remaining trace code
@StachuDotNet
Copy link
Member

StachuDotNet commented Jan 15, 2024
edited
Loading

had a quick chat w/ paul to get hand-off notes here:

the major thing remaining here is " figure out tunnel2 settings/replacement", "iptables"...

  • we need production testing to prevent users from figuring out IP addresses
  • try to get IP addresses -> error
  • extra level of protection: iptables?
    • or: provide a proxy (like how we used to do things in k8s -- everything would go through proxy, which had firewall rules)
  • with cloud run...
    • we could provide another cloud run project that just does proxy
    • that one doesn't have permissions

urgency/importance: blocker for letting users running their code on dark-cloud

if we don't do this and/or we get it wrong, then an attacker may be able to get access to our entire cloud acct, etc.

I need to study up here and reflect on our current setup

pay attention to 169.254.0.0/16 - provides token that has auth as us

@StachuDotNet StachuDotNet added later Let's think about this later -- we have some higher-priority things to work through first needs-review I plan on going through each of the issues and clarifying them -- this is to mark remaining issues labels Feb 8, 2024
@StachuDotNet StachuDotNet mentioned this issue Feb 21, 2024
Closed
@StachuDotNet
Copy link
Member

closing in favor of a more refined issue, #5310

@StachuDotNet StachuDotNet removed later Let's think about this later -- we have some higher-priority things to work through first needs-review I plan on going through each of the issues and clarifying them -- this is to mark remaining issues labels Feb 21, 2024
@StachuDotNet StachuDotNet mentioned this issue Jun 26, 2024
Open
22 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pbiggar @StachuDotNet