kops/docs/bastion.md

Bastion in Kops

Bastion provide an external facing point of entry into a network containing private network instances. This host can provide a single point of fortification or audit and can be started and stopped to enable or disable inbound SSH communication from the Internet, some call bastion as the "jump server".

Note: Bastion will get setup for the cluster(by default) only when --topology="private".

• More information on bastion from aws
• More information on bastion from gce

AWS

Specify instance type of bastion

Instance types in AWS comprise varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your applications.

• Defaults to t2.medium
• Configure: Bastion Instance type can be modified using kops edit cluster

topology:
    bastion:
        MachineType: c4.large

More information

Turn on/off bastion

To turn on/off bastion host setup completely.

• Defaults to false if the topology selected is public
• Defaults to true if the topology selected is private
• Configure:

kops create cluster --bastion=[true|false]

OR using kops edit cluster

topology:
    bastion:
        Enable: true

Reach bastion from outside of vpc using a name

• Default: CNAME for the bastion is only created when the user explicitly define it using kops edit cluster
• Configure: Bastion friendly CNAME can be configured using kops edit cluster

topology:
    bastion:
        PublicName: jumper

High idle timeout for bastion ASG's ELB. (Configurable LoadBalancer Attributes)

By default, elastic load balancing sets the idle timeout to 60 seconds.

• Default: Bastion ELB in kops will have 120 seconds as their default timeout.
• Configure: This value can be configured using kops edit cluster

topology:
    bastion:
        IdleTimeOut: 75

More information