Kops: Feature request: create bastions without an LB

Created on 28 Feb 2018  路  18Comments  路  Source: kubernetes/kops

Kops supports creating a cluster without a load balancer in front of the API (the 'dns' option), but there is no such option for SSH bastions -- LBs are always created for bastions. I'd like the ability to disable LB creation, and the corresponding security group(s).

Why is this useful? SSH bastions are not usually critical services, a single instance may be good enough (kops does only create 1 instance by default), some people/companies would rather not pay extra for multiple instances and/or an LB.

picture drobinson123
👍5 🎉3

Most helpful comment

Please re-open
we would like a bastion with no external AWS LB - that will be accessed only by users with access to the VPN - i.e. in an internal AWS IP

picture lawgeex-deployment on 29 Jul 2018
👍4

All 18 comments

If it is not critcal then don鈥檛 create the bastion?

chrislovecnm picture chrislovecnm on 28 Feb 2018

It may not be critical from a HA perspective, some downtime could be tolerated, but it's critical from a security perspective. And if it's not created then users can't SSH into a cluster w/ a private network topology, at least not without resorting to a home-grown solution.

drobinson123 picture drobinson123 on 28 Feb 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 29 May 2018

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

fejta-bot picture fejta-bot on 28 Jun 2018

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot picture fejta-bot on 28 Jul 2018

Please re-open
we would like a bastion with no external AWS LB - that will be accessed only by users with access to the VPN - i.e. in an internal AWS IP

lawgeex-deployment picture lawgeex-deployment on 29 Jul 2018
👍4

+1 For reopening the issue. It would be amazing to have an option to not create a LB for bastion, as it also generates additional costs.

azalenski picture azalenski on 17 Jun 2019

+1 for reopening this, our elb costs are way more than the actual EC2 instances cost for the ssh bastion enabled cluster.

chattarajoy picture chattarajoy on 21 Sep 2019

/reopen would be very nice if creation of bastion can do without lb for minimizing cost, admin can access bastion directly using vpn

nothinux picture nothinux on 19 Nov 2019

+1 for reopening this

gersonmdesouza picture gersonmdesouza on 17 Jan 2020

/remove-lifecycle rotten

rifelpet picture rifelpet on 17 Jan 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 16 Apr 2020

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot picture fejta-bot on 16 May 2020

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot picture fejta-bot on 15 Jun 2020

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot picture k8s-ci-robot on 15 Jun 2020

/remove-lifecycle rotten

guikcd picture guikcd on 25 Jun 2020

/reopen

guikcd picture guikcd on 25 Jun 2020

@guikcd: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot picture k8s-ci-robot on 25 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

joshbranham picture joshbranham  路  3Comments
pluttrell picture pluttrell  路  4Comments
drewfisher314 picture drewfisher314  路  4Comments
RXminuS picture RXminuS  路  5Comments
DocValerian picture DocValerian  路  4Comments