Here my personal thoughts and experience. Not some sort of official advice.
subscription sites wrote on 09/29/18 18:40:
Hello,
I'm wondering with regard to the all-in-one setup:
- I know the documentation doesn't say it's considered production, but
what would the downside be of using this on a VPS to host production
apps? Except for the lack of redundancy obviously, the host goes down
and it's all down, but my alternative would be to not use openshift and
use plain docker on one host, so availability isn't my premium concern.
Is it not recommended from a security perspective, considering how it's
setup using "oc cluster up", or are there other concerns for not using
it in production?
Except for missing on HA and running some non-app resources (console,
node, controllers, etcd, router, etc.), then I see no other drawbacks.
- When setting up an all-in-one on an internet-exposed host, how can you
best protect the web console? Isn't it a bit "light" security wise to
just depend on username/password for protection? Is there a possibility
to use multifactor or certificate based authentication? I also tried
Depends on how you choose and manage your password. For more options you
can try to use keycloak auth provider. This should allow you to setup
2-factor auth IIRC.
blocking the port with iptables and using ssh with port forwarding, but
this doesn't seem to work, both if I set the public-master option to the
public ip or localhost?
How does it fail when you set to localhost?
I assume using some sort of VPN can also help but I don't see why `ssh`
shouldn't work. An alternative would be to use `ssh -D` to proxy your
traffic through the remote host and setup your browser to use that socks
server when accessing console. But still think normal port forwarding
should do the job.
Thanks for any help you can provide!
Regards,
Peter
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users