Harden internal firewall rules on DigitalOcean

* Define firewall rules on DigitialOcean to match rules used on AWS,
GCP, and Azure
* Output `controller_tag` and `worker_tag` to simplify custom firewall
rule creation
This commit is contained in:
Dalton Hubble 2019-04-02 23:02:04 -07:00
parent 60265f9b58
commit 2a07c97538
3 changed files with 77 additions and 18 deletions

View File

@ -12,6 +12,11 @@ Notable changes between versions.
* Output the network load balancer ARN as `nlb_id` * Output the network load balancer ARN as `nlb_id`
* Accept a `worker_target_groups` (ARN) list to which worker instances should be added * Accept a `worker_target_groups` (ARN) list to which worker instances should be added
#### DigitalOcean
* Harden internal (node-to-node) firewall rules to align with other platforms
* Output `controller_tag` and `worker_tag` to simplify custom firewall rule creation
#### Google Cloud #### Google Cloud
* Add ability to load balance TCP/UDP applications ([#442](https://github.com/poseidon/typhoon/pull/442)) * Add ability to load balance TCP/UDP applications ([#442](https://github.com/poseidon/typhoon/pull/442))

View File

@ -3,36 +3,26 @@ resource "digitalocean_firewall" "rules" {
tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
# allow ssh, apiserver, http/https ingress, and peer-to-peer traffic # allow ssh, internal flannel, internal node-exporter, internal kubelet
inbound_rule = [ inbound_rule = [
{ {
protocol = "tcp" protocol = "tcp"
port_range = "22" port_range = "22"
source_addresses = ["0.0.0.0/0", "::/0"] source_addresses = ["0.0.0.0/0", "::/0"]
}, },
{
protocol = "tcp"
port_range = "80"
source_addresses = ["0.0.0.0/0", "::/0"]
},
{
protocol = "tcp"
port_range = "443"
source_addresses = ["0.0.0.0/0", "::/0"]
},
{
protocol = "tcp"
port_range = "6443"
source_addresses = ["0.0.0.0/0", "::/0"]
},
{ {
protocol = "udp" protocol = "udp"
port_range = "1-65535" port_range = "8472"
source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"] source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"]
}, },
{ {
protocol = "tcp" protocol = "tcp"
port_range = "1-65535" port_range = "9100"
source_tags = ["${digitalocean_tag.workers.name}"]
},
{
protocol = "tcp"
port_range = "10250"
source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"] source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"]
}, },
] ]
@ -56,3 +46,54 @@ resource "digitalocean_firewall" "rules" {
}, },
] ]
} }
resource "digitalocean_firewall" "controllers" {
name = "${var.cluster_name}-controllers"
tags = ["${var.cluster_name}-controller"]
# etcd, kube-apiserver, kubelet
inbound_rule = [
{
protocol = "tcp"
port_range = "2379-2380"
source_tags = ["${digitalocean_tag.controllers.name}"]
},
{
protocol = "tcp"
port_range = "2381"
source_tags = ["${digitalocean_tag.workers.name}"]
},
{
protocol = "tcp"
port_range = "6443"
source_addresses = ["0.0.0.0/0", "::/0"]
},
]
}
resource "digitalocean_firewall" "workers" {
name = "${var.cluster_name}-workers"
tags = ["${var.cluster_name}-worker"]
# allow HTTP/HTTPS ingress
inbound_rule = [
{
protocol = "tcp"
port_range = "80"
source_addresses = ["0.0.0.0/0", "::/0"]
},
{
protocol = "tcp"
port_range = "443"
source_addresses = ["0.0.0.0/0", "::/0"]
},
{
protocol = "tcp"
port_range = "10254"
source_addresses = ["0.0.0.0/0"]
},
]
}

View File

@ -26,3 +26,16 @@ output "workers_ipv4" {
output "workers_ipv6" { output "workers_ipv6" {
value = ["${digitalocean_droplet.workers.*.ipv6_address}"] value = ["${digitalocean_droplet.workers.*.ipv6_address}"]
} }
# Outputs for custom firewalls
output "controller_tag" {
description = "Tag applied to controller droplets"
value = "${digitalocean_tag.controllers.name}"
}
output "worker_tag" {
description = "Tag applied to worker droplets"
value = "${digitalocean_tag.workers.name}"
}