Re: openshift origin all in one

Sun, 30 Sep 2018 12:56:29 -0700 

Here my personal thoughts and experience. Not some sort of official advice.

subscription sites wrote on 09/29/18 18:40:

Hello,


I'm wondering with regard to the all-in-one setup:
- I know the documentation doesn't say it's considered production, but what would the downside be of using this on a VPS to host production apps? Except for the lack of redundancy obviously, the host goes down and it's all down, but my alternative would be to not use openshift and use plain docker on one host, so availability isn't my premium concern. Is it not recommended from a security perspective, considering how it's setup using "oc cluster up", or are there other concerns for not using it in production?
Except for missing on HA and running some non-app resources (console, node, controllers, etcd, router, etc.), then I see no other drawbacks.
- When setting up an all-in-one on an internet-exposed host, how can you best protect the web console? Isn't it a bit "light" security wise to just depend on username/password for protection? Is there a possibility to use multifactor or certificate based authentication? I also tried
Depends on how you choose and manage your password. For more options you can try to use keycloak auth provider. This should allow you to setup 2-factor auth IIRC.
blocking the port with iptables and using ssh with port forwarding, but this doesn't seem to work, both if I set the public-master option to the public ip or localhost? 

How does it fail when you set to localhost?
I assume using some sort of VPN can also help but I don't see why `ssh` shouldn't work. An alternative would be to use `ssh -D` to proxy your traffic through the remote host and setup your browser to use that socks server when accessing console. But still think normal port forwarding should do the job. 




Thanks for any help you can provide!


Regards,



Peter


_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Reply via email to