Skip to content

Commit

Permalink
fix: add os update fw rule source ranges in setters (#538)
Browse files Browse the repository at this point in the history
  • Loading branch information
alaincormier-ssc authored Sep 29, 2023
1 parent e7d27d6 commit f8c882c
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 2 deletions.
1 change: 1 addition & 0 deletions solutions/client-landing-zone/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Package to create a client's folder hierarchy, logging resources and a network h
| Name | Value | Type | Count |
|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------|-------|
| allowed-os-update-domains | ["debian.map.fastlydns.net", "debian.org", "deb.debian.org", "ubuntu.com", "packages.cloud.google.com", "security.ubuntu.com", "northamerica-northeast1.gce.archive.ubuntu.com", "northamerica-northeast2.gce.archive.ubuntu.com"] | array | 1 |
| allowed-os-update-source-ip-ranges | ["10.1.0.0/21", "10.1.8.0/21", "10.1.128.0/21", "10.1.136.0/21"] | array | 1 |
| client-billing-id | AAAAAA-BBBBBB-CCCCCC | str | 1 |
| client-folderviewer | group:client1@example.com | str | 1 |
| client-name | client1 | str | 185 |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@ spec:
ports:
- "80"
- "443"
srcIPRanges:
- "10.0.0.0/8"
srcIPRanges: # kpt-set: ${allowed-os-update-source-ip-ranges}
- "n.n.n.n/n"
destFqdns: # kpt-set: ${allowed-os-update-domains}
- "example.com"
priority: 5000
13 changes: 13 additions & 0 deletions solutions/client-landing-zone/setters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,19 @@ data:
- "northamerica-northeast1.gce.archive.ubuntu.com"
- "northamerica-northeast2.gce.archive.ubuntu.com"
#
# the source IP ranges allowed to access the domains listed above
# the ranges should match the values of the '*main-snet' setters configured earlier:
# - standard-nane1-nonp-main-snet
# - standard-nane2-nonp-main-snet
# - standard-nane1-pbmm-main-snet
# - standard-nane2-pbmm-main-snet
# OR a list of more restrictive ranges within those subnets (for example, 10.1.1.5/32)
allowed-os-update-source-ip-ranges: |
- "10.1.0.0/21"
- "10.1.8.0/21"
- "10.1.128.0/21"
- "10.1.136.0/21"
#
##########################
# DNS
##########################
Expand Down

0 comments on commit f8c882c

Please sign in to comment.