This Epic tracks the implementation of IP Allowlisting for SSH on GitLab SaaS and is a [FY23-Q2 OKR](https://gitlab.com/gitlab-org/gitlab/-/issues/360914). Limiting access to requests coming from a set of known-good IP addresses may improve security - especially in case of unnoticed theft of credentials. Until now, such access restrictions can only been applied to the API and UI. SSH is entirely blocked when you use this restriction. After this is released, SSH will also adhere to the restriction and only grant access to requests coming from IP addresses in your list. Refer to https://docs.gitlab.com/ee/user/group/#restrict-group-access-by-ip-address for details. This Epic is a stepping stone to the final goal of a [GA gitlab-sshd](https://gitlab.com/groups/gitlab-org/-/epics/5394), but will also include work specific to GitLab SaaS only and not applicable to self-hosted customers. ### DRIs - Source Code DRI @igor.drozdov - Infrastructure DRI - @skarbek - IP Allowlisting Security sign-off - @jritchey @laurence.bierner ### Communication #### Daily Status - https://gitlab.com/gitlab-org/gitlab/-/issues/361755+ #### Slack channels - [Rollout communication #proj_gitlab_sshd_rollout](https://gitlab.slack.com/archives/C03BWT8R4KH) - [Rapid Action #ra-8014](https://gitlab.slack.com/archives/C03EJQKU9PE) #### Related Issues and Epics - https://gitlab.com/gitlab-org/gitlab/-/issues/271673+ - https://gitlab.com/groups/gitlab-org/-/epics/5219+ - https://gitlab.com/groups/gitlab-com/gl-infra/-/epics/603+ - https://gitlab.com/groups/gitlab-org/-/epics/5394+ - https://gitlab.com/groups/gitlab-org/-/epics/6523+ - https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/15702+ - https://gitlab.com/gitlab-com/gl-infra/production/-/issues/7098+ - https://gitlab.com/gitlab-org/gitlab/-/issues/362354+ - https://gitlab.com/gitlab-data/analytics/-/issues/12854+ ### Security Sign Off - https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/270+ ### Action Items - [x] Identify Infrastructure DRI - @amyphillips - [x] Identify `gitlab-sshd + PROXY` pentest DRI - @sean_carroll - [x] Clarify what MRs are needed to deploy PROXY to Staging @robotmay_gitlab @T4cC0re ### Implementation Plan #### Stream 1: Rollout gitlab-sshd to production - [x] Setup Canary test pod https://gitlab.com/gitlab-com/gl-infra/production/-/issues/7056 @skarbek - [x] https://gitlab.com/gitlab-com/gl-infra/production/-/issues/7056+ @skarbek - [x] Analyse captured network packets - [x] Discussions in https://gitlab.com/gitlab-org/gitlab-shell/-/issues/559+ @igor.drozdov @jacobvosmaer - [x] https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/624+ - [x] Rollout `gitlab-sshd` on Production Canary https://gitlab.com/groups/gitlab-com/gl-infra/-/epics/603 - [x] Rollout `gitlab-sshd` to Production `gprd` at 100% https://gitlab.com/groups/gitlab-com/gl-infra/-/epics/603 #### Stream 2: Rollout PROXY protocol - [x] [Complete MRs to enable PROXY on Staging](https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/15702) @T4cC0re - [x] [CR to Enable `gitlab-sshd PROXY` on Staging](https://gitlab.com/gitlab-com/gl-infra/production/-/issues/7072) @T4cC0re @ahyield - [x] https://gitlab.com/groups/gitlab-org/-/epics/8106+ @robotmay_gitlab @nwestbury - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/363479+ @jritchey @laurence.bierner - [x] Merge https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89817+ (`enabled_git_access_protocol` Feature Flag = disabled) - [x] Data update https://gitlab.com/gitlab-org/gitlab/-/issues/365164+ - [x] CR to Enable PROXY protocol on Production Canary @ahyield @T4cC0re - [x] CR to Enable PROXY protocol on Production @ahyield @T4cC0re - [x] Enable `enabled_git_access_protocol` Feature Flag (MR to be created @robotmay_gitlab ) - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/365030+