Atlantis: Document security concerns of Atlantis UI
Via https://github.com/runatlantis/atlantis/issues/49#issuecomment-465638013, document the impact of access to the Atlantis UI in the security section
lkysow
All 8 comments
Is there an undocumented setting for disabling the UI entirely? If not, I'm interested in implementing it.
Since the UI runs on the same port as the version control webhooks, which necessarily is exposed to the open internet for those of us using services like GitHub, the only way that I can think of to firewall off the UI without interfering with the webhooks is to whitelist GitHub's backend IPs. Polling GitHub for its IPs sounds like a lot of operational overhead to secure a feature that I don't use. I would rather be able to just switch off the UI.
edit: Like others in this thread, I ended up putting Atlantis behind a reverse proxy that allows fine-grained access control.
aldenstpage
on 8 Mar 2019
There isn't an undocumented setting and I don't think I'd want a PR to implement it. The UI is necessary for normal Atlantis usage, I'd be surprised if you never needed it.
You could also front Atlantis with a server that only lets through requests to /events. I'm also not sure how often GitHub changes their backend IPs, but you probably don't have to poll them?
I know those aren't great solutions but that's where we're at today.
lkysow
on 8 Mar 2019
In my case, UI is pretty good for just showing the information across the repos (atlantis tool for all our repos).
chenrui333
on 17 Apr 2019
On the IP whitelisting: if you use Terraform, you can get the IPs from the Github provider.
chadasapp
on 29 May 2019
You could also potentially run nginx in front of atlantis and use basic auth. The web hook could then be configured as https://user:password@url-to-atlantis. Disclaimer, I have not tested this myself yet as I've just started to set it up.
epacke
on 4 Sep 2019
We use the whitelisted IPs through terraform like @chadasapp, it also goes through a custom tool that checks the signature, who is attached to the request, if the repo is truly a private repo, all those bits. It also has our company's next-gen WAF protecting it.
It would be easier if API traffic and human traffic were on different ports. It's a lot easier to trust a security group, for instance.
ted-fastly
on 14 Feb 2020
I've very succesfully been deploying https://github.com/pusher/oauth2_proxy in front of atlantis, with the github integration.
You can specify to skip auth for the /events path, so the webhooks still work fine.
netguino
on 18 Feb 2020
You can update the ingress to handle only /events, thereby disabling UI partially.
Update ingress block in helm chart deployment:
ingress:
enabled: true
annotations:
networking.gke.io/managed-certificates: gke-managed-cert
kubernetes.io/ingress.global-static-ip-name: gke-managed-ip
kubernetes.io/ingress.class: "gce"
path: /events
host: atlantis.testxxx.com
pdhara
on 18 Mar 2021
Related issues
cheethoe
路
4Comments
alistar79
路
5Comments
atlantisbot
路
4Comments
lkysow
路
4Comments
stephencoe
路
5Comments
Most helpful comment
Is there an undocumented setting for disabling the UI entirely? If not, I'm interested in implementing it.
Since the UI runs on the same port as the version control webhooks, which necessarily is exposed to the open internet for those of us using services like GitHub, the only way that I can think of to firewall off the UI without interfering with the webhooks is to whitelist GitHub's backend IPs. Polling GitHub for its IPs sounds like a lot of operational overhead to secure a feature that I don't use. I would rather be able to just switch off the UI.
edit: Like others in this thread, I ended up putting Atlantis behind a reverse proxy that allows fine-grained access control.