Harden internal firewall rules on DigitalOcean

* Define firewall rules on DigitialOcean to match rules used on AWS, GCP, and Azure * Output `controller_tag` and `worker_tag` to simplify custom firewall rule creation
2019-04-02 23:02:04 -07:00 · 2019-04-02 23:02:04 -07:00 · 2a07c97538
parent 60265f9b58
commit 2a07c97538
3 changed files with 77 additions and 18 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -12,6 +12,11 @@ Notable changes between versions.
  * Output the network load balancer ARN as `nlb_id`
  * Accept a `worker_target_groups` (ARN) list to which worker instances should be added
 #### DigitalOcean
 * Harden internal (node-to-node) firewall rules to align with other platforms
 * Output `controller_tag` and `worker_tag` to simplify custom firewall rule creation
 #### Google Cloud
 * Add ability to load balance TCP/UDP applications ([#442](https://github.com/poseidon/typhoon/pull/442))
--- a/digital-ocean/container-linux/kubernetes/network.tf
+++ b/digital-ocean/container-linux/kubernetes/network.tf
@ -3,36 +3,26 @@ resource "digitalocean_firewall" "rules" {
  tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
-  # allow ssh, apiserver, http/https ingress, and peer-to-peer traffic
+  # allow ssh, internal flannel, internal node-exporter, internal kubelet
  inbound_rule = [
    {
      protocol         = "tcp"
      port_range       = "22"
      source_addresses = ["0.0.0.0/0", "::/0"]
    },
    {
      protocol         = "tcp"
      port_range       = "80"
      source_addresses = ["0.0.0.0/0", "::/0"]
    },
    {
      protocol         = "tcp"
      port_range       = "443"
      source_addresses = ["0.0.0.0/0", "::/0"]
    },
    {
      protocol         = "tcp"
      port_range       = "6443"
      source_addresses = ["0.0.0.0/0", "::/0"]
    },
    {
      protocol    = "udp"
-      port_range  = "1-65535"
+      port_range  = "8472"
      source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"]
    },
    {
      protocol    = "tcp"
-      port_range  = "1-65535"
+      port_range  = "9100"
      source_tags = ["${digitalocean_tag.workers.name}"]
    },
    {
      protocol    = "tcp"
      port_range  = "10250"
      source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"]
    },
  ]
@ -56,3 +46,54 @@ resource "digitalocean_firewall" "rules" {
    },
  ]
 }
 resource "digitalocean_firewall" "controllers" {
  name = "${var.cluster_name}-controllers"
  tags = ["${var.cluster_name}-controller"]
  # etcd, kube-apiserver, kubelet
  inbound_rule = [
    {
      protocol         = "tcp"
      port_range       = "2379-2380"
      source_tags = ["${digitalocean_tag.controllers.name}"]
    },
    {
      protocol         = "tcp"
      port_range       = "2381"
      source_tags = ["${digitalocean_tag.workers.name}"]
    },
    {
      protocol         = "tcp"
      port_range       = "6443"
      source_addresses = ["0.0.0.0/0", "::/0"]
    },
  ]
 }
 resource "digitalocean_firewall" "workers" {
  name = "${var.cluster_name}-workers"
  tags = ["${var.cluster_name}-worker"]
  # allow HTTP/HTTPS ingress
  inbound_rule = [
    {
      protocol         = "tcp"
      port_range       = "80"
      source_addresses = ["0.0.0.0/0", "::/0"]
    },
    {
      protocol         = "tcp"
      port_range       = "443"
      source_addresses = ["0.0.0.0/0", "::/0"]
    },
    {
      protocol = "tcp"
      port_range = "10254"
      source_addresses = ["0.0.0.0/0"]
    },
  ]
 }
--- a/digital-ocean/container-linux/kubernetes/outputs.tf
+++ b/digital-ocean/container-linux/kubernetes/outputs.tf
@ -26,3 +26,16 @@ output "workers_ipv4" {
 output "workers_ipv6" {
  value = ["${digitalocean_droplet.workers.*.ipv6_address}"]
 }
 # Outputs for custom firewalls
 output "controller_tag" {
  description = "Tag applied to controller droplets"
  value = "${digitalocean_tag.controllers.name}"
 }
 output "worker_tag" {
  description = "Tag applied to worker droplets"
  value = "${digitalocean_tag.workers.name}"
 }