Harden internal firewall rules on DigitalOcean
* Define firewall rules on DigitialOcean to match rules used on AWS, GCP, and Azure * Output `controller_tag` and `worker_tag` to simplify custom firewall rule creation
This commit is contained in:
parent
60265f9b58
commit
2a07c97538
|
@ -12,6 +12,11 @@ Notable changes between versions.
|
|||
* Output the network load balancer ARN as `nlb_id`
|
||||
* Accept a `worker_target_groups` (ARN) list to which worker instances should be added
|
||||
|
||||
#### DigitalOcean
|
||||
|
||||
* Harden internal (node-to-node) firewall rules to align with other platforms
|
||||
* Output `controller_tag` and `worker_tag` to simplify custom firewall rule creation
|
||||
|
||||
#### Google Cloud
|
||||
|
||||
* Add ability to load balance TCP/UDP applications ([#442](https://github.com/poseidon/typhoon/pull/442))
|
||||
|
|
|
@ -3,36 +3,26 @@ resource "digitalocean_firewall" "rules" {
|
|||
|
||||
tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
|
||||
|
||||
# allow ssh, apiserver, http/https ingress, and peer-to-peer traffic
|
||||
# allow ssh, internal flannel, internal node-exporter, internal kubelet
|
||||
inbound_rule = [
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "22"
|
||||
source_addresses = ["0.0.0.0/0", "::/0"]
|
||||
},
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "80"
|
||||
source_addresses = ["0.0.0.0/0", "::/0"]
|
||||
},
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "443"
|
||||
source_addresses = ["0.0.0.0/0", "::/0"]
|
||||
},
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "6443"
|
||||
source_addresses = ["0.0.0.0/0", "::/0"]
|
||||
},
|
||||
{
|
||||
protocol = "udp"
|
||||
port_range = "1-65535"
|
||||
port_range = "8472"
|
||||
source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"]
|
||||
},
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "1-65535"
|
||||
port_range = "9100"
|
||||
source_tags = ["${digitalocean_tag.workers.name}"]
|
||||
},
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "10250"
|
||||
source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"]
|
||||
},
|
||||
]
|
||||
|
@ -56,3 +46,54 @@ resource "digitalocean_firewall" "rules" {
|
|||
},
|
||||
]
|
||||
}
|
||||
|
||||
resource "digitalocean_firewall" "controllers" {
|
||||
name = "${var.cluster_name}-controllers"
|
||||
|
||||
tags = ["${var.cluster_name}-controller"]
|
||||
|
||||
# etcd, kube-apiserver, kubelet
|
||||
inbound_rule = [
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "2379-2380"
|
||||
source_tags = ["${digitalocean_tag.controllers.name}"]
|
||||
},
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "2381"
|
||||
source_tags = ["${digitalocean_tag.workers.name}"]
|
||||
},
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "6443"
|
||||
source_addresses = ["0.0.0.0/0", "::/0"]
|
||||
},
|
||||
]
|
||||
}
|
||||
|
||||
resource "digitalocean_firewall" "workers" {
|
||||
name = "${var.cluster_name}-workers"
|
||||
|
||||
tags = ["${var.cluster_name}-worker"]
|
||||
|
||||
# allow HTTP/HTTPS ingress
|
||||
inbound_rule = [
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "80"
|
||||
source_addresses = ["0.0.0.0/0", "::/0"]
|
||||
},
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "443"
|
||||
source_addresses = ["0.0.0.0/0", "::/0"]
|
||||
},
|
||||
{
|
||||
protocol = "tcp"
|
||||
port_range = "10254"
|
||||
source_addresses = ["0.0.0.0/0"]
|
||||
},
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
@ -26,3 +26,16 @@ output "workers_ipv4" {
|
|||
output "workers_ipv6" {
|
||||
value = ["${digitalocean_droplet.workers.*.ipv6_address}"]
|
||||
}
|
||||
|
||||
# Outputs for custom firewalls
|
||||
|
||||
output "controller_tag" {
|
||||
description = "Tag applied to controller droplets"
|
||||
value = "${digitalocean_tag.controllers.name}"
|
||||
}
|
||||
|
||||
output "worker_tag" {
|
||||
description = "Tag applied to worker droplets"
|
||||
value = "${digitalocean_tag.workers.name}"
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue