From bbf2c13eefada5f41cb89b3f40eff577d81ba3d8 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Tue, 21 Aug 2018 21:16:16 -0700 Subject: [PATCH] Remove AWS security rule allowing ICMP packets to nodes * Deny ICMP packets for consistency across Typhoon clusters on various clouds and because there isn't much need to allow them --- CHANGES.md | 4 ++++ aws/container-linux/kubernetes/security.tf | 20 -------------------- aws/fedora-atomic/kubernetes/security.tf | 20 -------------------- 3 files changed, 4 insertions(+), 40 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index d170598b..c053a79f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -4,6 +4,10 @@ Notable changes between versions. ## Latest +#### AWS + +* Remove firewall rule allowing ICMP packets to nodes + #### Bare-Metal * Remove `controller_networkds` and `worker_networkds` variables. Use Container Linux Config snippets [#277](https://github.com/poseidon/typhoon/pull/277) diff --git a/aws/container-linux/kubernetes/security.tf b/aws/container-linux/kubernetes/security.tf index 2a06913c..95ba1b0c 100644 --- a/aws/container-linux/kubernetes/security.tf +++ b/aws/container-linux/kubernetes/security.tf @@ -11,16 +11,6 @@ resource "aws_security_group" "controller" { tags = "${map("Name", "${var.cluster_name}-controller")}" } -resource "aws_security_group_rule" "controller-icmp" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "icmp" - from_port = 0 - to_port = 0 - cidr_blocks = ["0.0.0.0/0"] -} - resource "aws_security_group_rule" "controller-ssh" { security_group_id = "${aws_security_group.controller.id}" @@ -217,16 +207,6 @@ resource "aws_security_group" "worker" { tags = "${map("Name", "${var.cluster_name}-worker")}" } -resource "aws_security_group_rule" "worker-icmp" { - security_group_id = "${aws_security_group.worker.id}" - - type = "ingress" - protocol = "icmp" - from_port = 0 - to_port = 0 - cidr_blocks = ["0.0.0.0/0"] -} - resource "aws_security_group_rule" "worker-ssh" { security_group_id = "${aws_security_group.worker.id}" diff --git a/aws/fedora-atomic/kubernetes/security.tf b/aws/fedora-atomic/kubernetes/security.tf index 2a06913c..95ba1b0c 100644 --- a/aws/fedora-atomic/kubernetes/security.tf +++ b/aws/fedora-atomic/kubernetes/security.tf @@ -11,16 +11,6 @@ resource "aws_security_group" "controller" { tags = "${map("Name", "${var.cluster_name}-controller")}" } -resource "aws_security_group_rule" "controller-icmp" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "icmp" - from_port = 0 - to_port = 0 - cidr_blocks = ["0.0.0.0/0"] -} - resource "aws_security_group_rule" "controller-ssh" { security_group_id = "${aws_security_group.controller.id}" @@ -217,16 +207,6 @@ resource "aws_security_group" "worker" { tags = "${map("Name", "${var.cluster_name}-worker")}" } -resource "aws_security_group_rule" "worker-icmp" { - security_group_id = "${aws_security_group.worker.id}" - - type = "ingress" - protocol = "icmp" - from_port = 0 - to_port = 0 - cidr_blocks = ["0.0.0.0/0"] -} - resource "aws_security_group_rule" "worker-ssh" { security_group_id = "${aws_security_group.worker.id}"