-
Notifications
You must be signed in to change notification settings - Fork 9.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Begin documenting etcd infrastructure.
This commit introduces initial processes for managing access. Signed-off-by: James Blair <mail@jamesblair.net>
- Loading branch information
Showing
1 changed file
with
48 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# etcd arm64 test infrastructure | ||
|
||
## Infrastructure summary | ||
|
||
All etcd project pipelines run via github actions. The etcd project currently maintains dedicated infrastructure for running `arm64` continuous integration testing. This is required because currently github actions runner virtual machines are only offered as `x64`. | ||
|
||
The infrastructure consists of two `c3.large.arm` bare metal servers kindly provided by [Equinix Metal](https://www.equinix.com/) via the [CNCF Community Infrastructure Lab](https://github.com/cncf/cluster/issues/227). | ||
|
||
| Hostname | IP | Operating System | Region | | ||
|-------------------------------|----------------|--------------------|---------------| | ||
| etcd-c3-large-arm64-runner-01 | 86.109.7.233 | Ubuntu 22.04.1 LTS | Washington DC | | ||
| etcd-c3-large-arm64-runner-02 | 147.28.151.226 | Ubuntu 22.04.1 LTS | Washington DC | | ||
|
||
## Granting infrastructure access | ||
|
||
Etcd arm64 test infrastructure access is closely controlled to ensure the infrastructure is secure and protect the integrity of the etcd project. | ||
|
||
Access to the infrastructure is defined by the etcd-io [github team](https://github.com/orgs/etcd-io/teams) `infra-admins`. | ||
|
||
Individuals in this github team are granted access to the infrastructure in two ways: | ||
|
||
### 1. Equinix metal web console access | ||
|
||
An etcd project exists under the CNCF organisation in the Equinix Metal web console. The direct url to the etcd console is <https://console.equinix.com/projects/1b8c1eb7-983c-4b40-97e0-e317406e232e>. | ||
|
||
When a new member is added to the `infra-admins` team, an existing member or etcd maintainer should raise an issue in the [CNCF Community Infrastructure Labs](https://github.com/cncf/cluster/issues) to ensure they are granted web console access. | ||
|
||
### 2. Server ssh access | ||
|
||
Members of the `infra-admins` github team can ssh directly to the servers with a dedicated user account for each team member, usernames are based on github handles for easy recognition in logs. These team members will be able to elevate to the `root` user when necessary via `sudo`. | ||
|
||
Access to machines via ssh is strictly via individual ssh key based authentication, and is not permitted directly to the `root` user. Password authentication is never to be used for etcd infrastructure ssh authentication. | ||
|
||
When a new member is added to the `infra-admins` team, and existing member with ssh access should complete the following actions on all etcd servers: | ||
|
||
- create the new user via `sudo adduser <username>`. | ||
- add their public key to `/home/<username>/.ssh/authorized_keys` file. Note: Public keys are to be retrieved via github only, example: <https://github.com/jmhbnz.keys>. | ||
- add the new user to machine sudoers file via `usermod -aG sudo <username>`. | ||
|
||
## Revoking infrastructure access | ||
|
||
When a member is removed from the `infra-admins` github team existing members must review servers and ensure their user access to etcd infrastructure is revoked by removing the members `/home/<username>/.ssh/authorized_keys` entries. | ||
|
||
Note: When revoking access do not delete a user from servers as access may need to be reinstated in future. | ||
|
||
## Regular access review | ||
|
||
On a regular at least quarterly basis members of the `infra-admins` team are responsible for verifying that no unneccessary infrastructure access exists by reviewing membership of the github group and existing server access. |