diff --git a/aws/container-linux/kubernetes/security.tf b/aws/container-linux/kubernetes/security.tf index 8104080e..2a06913c 100644 --- a/aws/container-linux/kubernetes/security.tf +++ b/aws/container-linux/kubernetes/security.tf @@ -31,16 +31,6 @@ resource "aws_security_group_rule" "controller-ssh" { cidr_blocks = ["0.0.0.0/0"] } -resource "aws_security_group_rule" "controller-apiserver" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "tcp" - from_port = 6443 - to_port = 6443 - cidr_blocks = ["0.0.0.0/0"] -} - resource "aws_security_group_rule" "controller-etcd" { security_group_id = "${aws_security_group.controller.id}" @@ -51,6 +41,7 @@ resource "aws_security_group_rule" "controller-etcd" { self = true } +# Allow Prometheus to scrape etcd metrics resource "aws_security_group_rule" "controller-etcd-metrics" { security_group_id = "${aws_security_group.controller.id}" @@ -61,6 +52,16 @@ resource "aws_security_group_rule" "controller-etcd-metrics" { source_security_group_id = "${aws_security_group.worker.id}" } +resource "aws_security_group_rule" "controller-apiserver" { + security_group_id = "${aws_security_group.controller.id}" + + type = "ingress" + protocol = "tcp" + from_port = 6443 + to_port = 6443 + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "controller-flannel" { security_group_id = "${aws_security_group.controller.id}" @@ -81,6 +82,7 @@ resource "aws_security_group_rule" "controller-flannel-self" { self = true } +# Allow Prometheus to scrape node-exporter daemonset resource "aws_security_group_rule" "controller-node-exporter" { security_group_id = "${aws_security_group.controller.id}" @@ -91,6 +93,7 @@ resource "aws_security_group_rule" "controller-node-exporter" { source_security_group_id = "${aws_security_group.worker.id}" } +# Allow apiserver to access kubelets for exec, log, port-forward resource "aws_security_group_rule" "controller-kubelet" { security_group_id = "${aws_security_group.controller.id}" @@ -111,6 +114,7 @@ resource "aws_security_group_rule" "controller-kubelet-self" { self = true } +# Allow heapster / metrics-server to scrape kubelet read-only resource "aws_security_group_rule" "controller-kubelet-read" { security_group_id = "${aws_security_group.controller.id}" @@ -273,6 +277,7 @@ resource "aws_security_group_rule" "worker-flannel-self" { self = true } +# Allow Prometheus to scrape node-exporter daemonset resource "aws_security_group_rule" "worker-node-exporter" { security_group_id = "${aws_security_group.worker.id}" @@ -293,6 +298,7 @@ resource "aws_security_group_rule" "ingress-health" { cidr_blocks = ["0.0.0.0/0"] } +# Allow apiserver to access kubelets for exec, log, port-forward resource "aws_security_group_rule" "worker-kubelet" { security_group_id = "${aws_security_group.worker.id}" @@ -303,6 +309,7 @@ resource "aws_security_group_rule" "worker-kubelet" { source_security_group_id = "${aws_security_group.controller.id}" } +# Allow Prometheus to scrape kubelet metrics resource "aws_security_group_rule" "worker-kubelet-self" { security_group_id = "${aws_security_group.worker.id}" @@ -313,6 +320,7 @@ resource "aws_security_group_rule" "worker-kubelet-self" { self = true } +# Allow heapster / metrics-server to scrape kubelet read-only resource "aws_security_group_rule" "worker-kubelet-read" { security_group_id = "${aws_security_group.worker.id}" diff --git a/aws/fedora-atomic/kubernetes/security.tf b/aws/fedora-atomic/kubernetes/security.tf index 8104080e..2a06913c 100644 --- a/aws/fedora-atomic/kubernetes/security.tf +++ b/aws/fedora-atomic/kubernetes/security.tf @@ -31,16 +31,6 @@ resource "aws_security_group_rule" "controller-ssh" { cidr_blocks = ["0.0.0.0/0"] } -resource "aws_security_group_rule" "controller-apiserver" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "tcp" - from_port = 6443 - to_port = 6443 - cidr_blocks = ["0.0.0.0/0"] -} - resource "aws_security_group_rule" "controller-etcd" { security_group_id = "${aws_security_group.controller.id}" @@ -51,6 +41,7 @@ resource "aws_security_group_rule" "controller-etcd" { self = true } +# Allow Prometheus to scrape etcd metrics resource "aws_security_group_rule" "controller-etcd-metrics" { security_group_id = "${aws_security_group.controller.id}" @@ -61,6 +52,16 @@ resource "aws_security_group_rule" "controller-etcd-metrics" { source_security_group_id = "${aws_security_group.worker.id}" } +resource "aws_security_group_rule" "controller-apiserver" { + security_group_id = "${aws_security_group.controller.id}" + + type = "ingress" + protocol = "tcp" + from_port = 6443 + to_port = 6443 + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "controller-flannel" { security_group_id = "${aws_security_group.controller.id}" @@ -81,6 +82,7 @@ resource "aws_security_group_rule" "controller-flannel-self" { self = true } +# Allow Prometheus to scrape node-exporter daemonset resource "aws_security_group_rule" "controller-node-exporter" { security_group_id = "${aws_security_group.controller.id}" @@ -91,6 +93,7 @@ resource "aws_security_group_rule" "controller-node-exporter" { source_security_group_id = "${aws_security_group.worker.id}" } +# Allow apiserver to access kubelets for exec, log, port-forward resource "aws_security_group_rule" "controller-kubelet" { security_group_id = "${aws_security_group.controller.id}" @@ -111,6 +114,7 @@ resource "aws_security_group_rule" "controller-kubelet-self" { self = true } +# Allow heapster / metrics-server to scrape kubelet read-only resource "aws_security_group_rule" "controller-kubelet-read" { security_group_id = "${aws_security_group.controller.id}" @@ -273,6 +277,7 @@ resource "aws_security_group_rule" "worker-flannel-self" { self = true } +# Allow Prometheus to scrape node-exporter daemonset resource "aws_security_group_rule" "worker-node-exporter" { security_group_id = "${aws_security_group.worker.id}" @@ -293,6 +298,7 @@ resource "aws_security_group_rule" "ingress-health" { cidr_blocks = ["0.0.0.0/0"] } +# Allow apiserver to access kubelets for exec, log, port-forward resource "aws_security_group_rule" "worker-kubelet" { security_group_id = "${aws_security_group.worker.id}" @@ -303,6 +309,7 @@ resource "aws_security_group_rule" "worker-kubelet" { source_security_group_id = "${aws_security_group.controller.id}" } +# Allow Prometheus to scrape kubelet metrics resource "aws_security_group_rule" "worker-kubelet-self" { security_group_id = "${aws_security_group.worker.id}" @@ -313,6 +320,7 @@ resource "aws_security_group_rule" "worker-kubelet-self" { self = true } +# Allow heapster / metrics-server to scrape kubelet read-only resource "aws_security_group_rule" "worker-kubelet-read" { security_group_id = "${aws_security_group.worker.id}" diff --git a/google-cloud/container-linux/kubernetes/network.tf b/google-cloud/container-linux/kubernetes/network.tf index 21f4af25..8bcaaf58 100644 --- a/google-cloud/container-linux/kubernetes/network.tf +++ b/google-cloud/container-linux/kubernetes/network.tf @@ -17,32 +17,6 @@ resource "google_compute_firewall" "allow-ssh" { target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } -resource "google_compute_firewall" "allow-apiserver" { - name = "${var.cluster_name}-allow-apiserver" - network = "${google_compute_network.network.name}" - - allow { - protocol = "tcp" - ports = [443] - } - - source_ranges = ["0.0.0.0/0"] - target_tags = ["${var.cluster_name}-controller"] -} - -resource "google_compute_firewall" "allow-ingress" { - name = "${var.cluster_name}-allow-ingress" - network = "${google_compute_network.network.name}" - - allow { - protocol = "tcp" - ports = [80, 443] - } - - source_ranges = ["0.0.0.0/0"] - target_tags = ["${var.cluster_name}-worker"] -} - resource "google_compute_firewall" "internal-etcd" { name = "${var.cluster_name}-internal-etcd" network = "${google_compute_network.network.name}" @@ -70,6 +44,20 @@ resource "google_compute_firewall" "internal-etcd-metrics" { target_tags = ["${var.cluster_name}-controller"] } +resource "google_compute_firewall" "allow-apiserver" { + name = "${var.cluster_name}-allow-apiserver" + network = "${google_compute_network.network.name}" + + allow { + protocol = "tcp" + ports = [443] + } + + source_ranges = ["0.0.0.0/0"] + target_tags = ["${var.cluster_name}-controller"] +} + + # Calico BGP and IPIP # https://docs.projectcalico.org/v2.5/reference/public-cloud/gce resource "google_compute_firewall" "internal-calico" { @@ -121,7 +109,7 @@ resource "google_compute_firewall" "internal-node-exporter" { target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } -# kubelet API to allow apiserver exec and log or metrics scraping +# Allow apiserver to access kubelets for exec, log, port-forward resource "google_compute_firewall" "internal-kubelet" { name = "${var.cluster_name}-internal-kubelet" network = "${google_compute_network.network.name}" @@ -131,6 +119,7 @@ resource "google_compute_firewall" "internal-kubelet" { ports = [10250] } + # allow Prometheus to scrape kubelet metrics too source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } @@ -149,6 +138,7 @@ resource "google_compute_firewall" "ingress-health" { target_tags = ["${var.cluster_name}-worker"] } +# Allow heapster / metrics-server to scrape kubelet read-only resource "google_compute_firewall" "internal-kubelet-readonly" { name = "${var.cluster_name}-internal-kubelet-readonly" network = "${google_compute_network.network.name}" @@ -162,6 +152,21 @@ resource "google_compute_firewall" "internal-kubelet-readonly" { target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } +# Workers + +resource "google_compute_firewall" "allow-ingress" { + name = "${var.cluster_name}-allow-ingress" + network = "${google_compute_network.network.name}" + + allow { + protocol = "tcp" + ports = [80, 443] + } + + source_ranges = ["0.0.0.0/0"] + target_tags = ["${var.cluster_name}-worker"] +} + resource "google_compute_firewall" "google-health-checks" { name = "${var.cluster_name}-google-health-checks" network = "${google_compute_network.network.name}" diff --git a/google-cloud/fedora-atomic/kubernetes/network.tf b/google-cloud/fedora-atomic/kubernetes/network.tf index 21f4af25..8bcaaf58 100644 --- a/google-cloud/fedora-atomic/kubernetes/network.tf +++ b/google-cloud/fedora-atomic/kubernetes/network.tf @@ -17,32 +17,6 @@ resource "google_compute_firewall" "allow-ssh" { target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } -resource "google_compute_firewall" "allow-apiserver" { - name = "${var.cluster_name}-allow-apiserver" - network = "${google_compute_network.network.name}" - - allow { - protocol = "tcp" - ports = [443] - } - - source_ranges = ["0.0.0.0/0"] - target_tags = ["${var.cluster_name}-controller"] -} - -resource "google_compute_firewall" "allow-ingress" { - name = "${var.cluster_name}-allow-ingress" - network = "${google_compute_network.network.name}" - - allow { - protocol = "tcp" - ports = [80, 443] - } - - source_ranges = ["0.0.0.0/0"] - target_tags = ["${var.cluster_name}-worker"] -} - resource "google_compute_firewall" "internal-etcd" { name = "${var.cluster_name}-internal-etcd" network = "${google_compute_network.network.name}" @@ -70,6 +44,20 @@ resource "google_compute_firewall" "internal-etcd-metrics" { target_tags = ["${var.cluster_name}-controller"] } +resource "google_compute_firewall" "allow-apiserver" { + name = "${var.cluster_name}-allow-apiserver" + network = "${google_compute_network.network.name}" + + allow { + protocol = "tcp" + ports = [443] + } + + source_ranges = ["0.0.0.0/0"] + target_tags = ["${var.cluster_name}-controller"] +} + + # Calico BGP and IPIP # https://docs.projectcalico.org/v2.5/reference/public-cloud/gce resource "google_compute_firewall" "internal-calico" { @@ -121,7 +109,7 @@ resource "google_compute_firewall" "internal-node-exporter" { target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } -# kubelet API to allow apiserver exec and log or metrics scraping +# Allow apiserver to access kubelets for exec, log, port-forward resource "google_compute_firewall" "internal-kubelet" { name = "${var.cluster_name}-internal-kubelet" network = "${google_compute_network.network.name}" @@ -131,6 +119,7 @@ resource "google_compute_firewall" "internal-kubelet" { ports = [10250] } + # allow Prometheus to scrape kubelet metrics too source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } @@ -149,6 +138,7 @@ resource "google_compute_firewall" "ingress-health" { target_tags = ["${var.cluster_name}-worker"] } +# Allow heapster / metrics-server to scrape kubelet read-only resource "google_compute_firewall" "internal-kubelet-readonly" { name = "${var.cluster_name}-internal-kubelet-readonly" network = "${google_compute_network.network.name}" @@ -162,6 +152,21 @@ resource "google_compute_firewall" "internal-kubelet-readonly" { target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } +# Workers + +resource "google_compute_firewall" "allow-ingress" { + name = "${var.cluster_name}-allow-ingress" + network = "${google_compute_network.network.name}" + + allow { + protocol = "tcp" + ports = [80, 443] + } + + source_ranges = ["0.0.0.0/0"] + target_tags = ["${var.cluster_name}-worker"] +} + resource "google_compute_firewall" "google-health-checks" { name = "${var.cluster_name}-google-health-checks" network = "${google_compute_network.network.name}"