This repository has been archived by the owner on Aug 19, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
Architecture
Markus Winkler edited this page Mar 19, 2021
·
6 revisions
MOADSD-NG provides three entry-point Ansible Playbooks:
-
site.yml- creates the network, firewalls and instances in the clouds (plus some additional required things). If
site.ymlis run for ESXi, only ansible access to the already installed virtual machines is taken out.
- creates the network, firewalls and instances in the clouds (plus some additional required things). If
-
deploy.yml- deploys the software components chosen in the by
site.ymlcreated cloud environment
- deploys the software components chosen in the by
-
terminate.yml- terminates everything created by
site.yml
- terminates everything created by
Taking the site.yml as an example, the playbooks have an include-flow depending on the environmental settings. Let’s assume you want to setup a plain Deep Security environment, the following flow would be taken out:
-
play.yml-play.ymlis included in the upper playbook -
role/name.yml- current play calls a role -
module- module call
The firewall methodology is currently kept simple:
- There is no distinction in between TCP and UDP, both protocols are opened when required
- All ports are closed by default
- The Jumphost listens on ssh, http and https
- For the rest, access from 0.0.0.0/0 is restricted to service ports like 4119 to the specific instance if specified
- Access from the internal network is restricted unless explicitly allowed (e.g. port 5432 on the PostgreSQL)
- The following hosts will get a public IP assigned when running in the cloud
- Jumphost
- Deep Security Manager
- Windows Endpoints
- The following hosts will only get a private IP assigned when running in the cloud
- Kubernetes Master
- Kubernetes Workers
- Linux Endpoints
- PostgreSQL
- All Linux hosts are accessible by ssh with key based authentication (Ansible key) either directly or by proxying through the Jumphost.
- All Windows hosts are accessible by rdp.
- All instances do get an ansible user created which is used by Ansible
- All Ubuntu based instances do use the user ubuntu for the workload
- Direct remote ssh authentication to the Jumphost, Kubernetes Master and Deep Security Manager is only possible for the ansible user with the Ansibles ssh key.
- Remote ssh authentication to the private instances is to be done (if required) through the jumphost.
ssh -o ProxyCommand="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p ansible@<jumphost public ip>" ansible@<target ip>The Ansible-Vault is used as a secure storage for all credentials.
Wiki
About MOADSD-NG
Getting Started
MOADSD-NG Containerized
MOADSD-NG Manual Setup
- Configure your Server
- Preparing to work with Google GCP
- Preparing to work with Amazon AWS
- Preparing to work with VMware ESXi
Adapt MOADSD-NG to Your Needs
The MOADSD-NG Life-Cycle
- Setup the Environment
- Deploy the Software Stack
- Deploy the Endpoints
- Pause the Environment
- Resume the Environment
- Terminate the Environment
- Update the Environment
Software Components
- [Deep Security]
- [Deep Security Smart Check]
- Container Orchestration
- Container Registry
- Cluster Storage
- Jenkins
- GitLab
- Linkerd
- [Prometheus]
- [Grafana]
Tipps
Final Words
Deprecated Chapters