There are multiple places in the codebase where the configuration is fine during development but will likely need to be adjusted for production to tighten security.
This issue is intended to collect such places.
- the ingress for the SSH server currently accepts connections from
world - this should be restricted to known IP addresses/ranges, and should be a configuration option
- Traffic from the SSH server is currently allowed to go to any IP address on the isolated node subnet by Cilium network policies. This is further restricted by network security groups, but could be tightened in the CNP too if necessary.
- Tighten down SSH server configuration further - only permit forwarding to particular IPs, only allow certain commands, also restrict IP addresses
- Make Harbor proxies private and pass credentials to the isolated cluster, so only the isolated cluster can pull through them
There are multiple places in the codebase where the configuration is fine during development but will likely need to be adjusted for production to tighten security.
This issue is intended to collect such places.
world- this should be restricted to known IP addresses/ranges, and should be a configuration option