From e5b63604de2c92e0f53532a96a30afbd5ae02925 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Behmo?= <regis@behmo.com>
Date: Mon, 29 Nov 2021 22:17:12 +0100
Subject: [PATCH] security: convert NodePort to ClusterIP for better isolation

On some providers (notably: DigitalOcean) NodePort services are not exposed to
the outside world. But this is not what the Kubernetes spec describes:
https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types

Thus, there is a risk that NodePort services are exposed to the outside world
in some context. To avoid this, we convert all NodePort to ClusterIP resources.
---
 CHANGELOG-nightly.md             |  1 +
 tutor/templates/k8s/services.yml | 14 +++++++-------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG-nightly.md b/CHANGELOG-nightly.md
index 665d430..d78f0e7 100644
--- a/CHANGELOG-nightly.md
+++ b/CHANGELOG-nightly.md
@@ -2,6 +2,7 @@
 
 Note: Breaking changes between versions are indicated by "💥".
 
+- [Security] On Kubernetes, convert all NodePort services to ClusterIP to guarantee network isolation from outside the cluster.
 - 💥[Improvement] Drop Python 3.5 compatibility.
 - [Bugfix] Fix docker-compose project name in development on nightly branch.
 - 💥[Bugfix] No longer track the Tutor version number in resource labels (and label selectors, which breaks the update of Deployment resources), but instead do so in resource annotations.
diff --git a/tutor/templates/k8s/services.yml b/tutor/templates/k8s/services.yml
index b768098..2e00b9b 100644
--- a/tutor/templates/k8s/services.yml
+++ b/tutor/templates/k8s/services.yml
@@ -21,7 +21,7 @@ kind: Service
 metadata:
   name: cms
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 8000
       protocol: TCP
@@ -35,7 +35,7 @@ kind: Service
 metadata:
   name: lms
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 8000
       protocol: TCP
@@ -49,7 +49,7 @@ kind: Service
 metadata:
   name: elasticsearch
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 9200
       protocol: TCP
@@ -63,7 +63,7 @@ kind: Service
 metadata:
   name: mongodb
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 27017
       protocol: TCP
@@ -77,7 +77,7 @@ kind: Service
 metadata:
   name: mysql
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 3306
       protocol: TCP
@@ -91,7 +91,7 @@ kind: Service
 metadata:
   name: redis
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: {{ REDIS_PORT }}
       protocol: TCP
@@ -105,7 +105,7 @@ kind: Service
 metadata:
   name: smtp
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 8025
       protocol: TCP