Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Cloud provider behavior with firewall rules #26

Open
boredabdel opened this issue Aug 1, 2024 · 4 comments
Open

Google Cloud provider behavior with firewall rules #26

boredabdel opened this issue Aug 1, 2024 · 4 comments

Comments

@boredabdel
Copy link

I was trying out devpod today with Google Cloud as a Backend provider. And I noticed a default potentially unsecure behavior

The provider assumes a firewall rule that allows incoming ssh connections. This is a valid assumption because for new projects an allow-all SSH ingress rule is present [1]

Now this is the default behavior but not the recommended one. Typically for safety reasons we recommand users to remove these default firewall rules. The reason is simply because any VM that has a Public IP will be by default open to the Internet on SSH (authentication via password is disabled, only ssh authn is enabled on the VM images provided by Google cloud)

The recommended way is to use Identity Aware Proxy (IAP) Port Forwarding (aka Tunneling) [2]. With IAP Tunneling users have to configure a single Firewall rule for the entire project (they can use network tags to restrict it to specific vm's) and use IAM to grant Access to users. This method has two advantages:

  • You don't need a wide open firewall rule. The rule required for IAP opens up only to Google Proxies which are controller by IAM.
  • VM's don't need a Public IP. So users will save money as Public IP's cost money [3]

The catch is that to connect to a VM using IAP you need to pass a flag to gcloud --tunnel-through-iap. I tried to remove the default firewall rules. Configure IAP and try out devpod but it doesn't work. The client doesn't seem to have a way to pass extra flags!

[1] https://cloud.google.com/firewall/docs/firewalls#more_rules_default_vpc
[2] https://cloud.google.com/iap/docs/using-tcp-forwarding#preparing_your_project_for_tcp_forwarding
[3] https://cloud.google.com/vpc/pricing
@pascalbreuninger
Copy link
Member

Hi @boredabdel, thanks a lot for opening the issue.

If I understood correctly this is a matter of changing the defaults we currently have in the gcloud provider when creating new instances.
Setting the PUBLIC_IP_ENABLED option to false should already use IAP tunneling to access the instance.

@boredabdel
Copy link
Author

boredabdel commented Aug 5, 2024
edited by linear bot
Loading

Yes but not enough. Setting the PUBLIC_IP_ENABLED will only disable the Public IP. For IAP you still need to add a firewall rule https://cloud.google.com/iap/docs/using-tcp-forwarding#preparing_your_project_for_tcp_forwarding

@pascalbreuninger
Copy link
Member

Fair enough. So far we've shied away from altering your whole project when creating a workspace to avoid unintended side effects.
From my point of view there are two improvements we can make:

  1. Add setup steps for IAP in the README - will do anyway
  2. Warn users explicitly when turning this option on that we're going to make adjustments to their project

@boredabdel
Copy link
Author

I completely understand that you want to keep the client as a agnostic as possible.

1 - That would be great
2 - You don't have to make the changes. If it's possible to prompt the user with instructions or a link to the doc when they turn on private instance on that would be enough!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@boredabdel @pascalbreuninger