TLDR;1
We aim to move OpenShift 4. It brings pretty new features compare to 3x generation2. In company, we have so many security rules which make system secure. One of them is to being sure that our images should be PCI-DSS compliance.
In this week, to test PCI-DSS components, I wrote Ansible role which checks images, even if this role does not change anything in the system. It was necessary to create my own stack.
In that case, creating full stack (with gateway, OpenShift master nodes, workers) is not a good option since I have to check base image without any change. Also, it’s totally waste of resource because of installation will take a lot time.
I decided to create just 1 instance from AWS Console, than expected to connect via ssh client and test necessary scenarios3.
Nopp. It’s not possible.
I don’t know 4 what kind of mechanism RedHat did but my public key were not in the authorized_keys. So I couldn’t connect.
In the beginning, I was expecting that our great firewall in company does not allow me to connect. However, after trying same scenario from my own AWS account. After this, I was sure RedHat did kind of trick and didn’t locate my key as other images do.
In the end, I created ticket for RedHat and explain situation.5 They confirmed that it’s not possible6 and I have to create full stack by using automation. Only in way, I can reach my goal.
After 8 7 hours which I spent on debugging ACL and security groups I want to share pure knowledge with you.
Result: CoreOS images do not add your public key if you run it without automation to the instance:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
- ami-0c63b39219b8123e5 - ami-073cba0913d2250a4 - ami-0270be11430101040 - ami-06eb9d35ede4f08a3 - ami-0d980796ce258b5d5 - ami-0f907257d1686e3f7 - ami-02fdd627029c0055b - ami-0d4839574724ed3fa - ami-053073b95aa285347 - ami-09deb5deb6567bcd5 - ami-068a2000546e1889d - ami-046fe691f52a953f9 - ami-0649fd5d42859bdfc - ami-0c1d2b5606111ac8c - ami-00745fcbb14a863ed |