Sort firewall / security rules and add comments

* No functional changes to network firewalls
This commit is contained in:
Dalton Hubble 2018-08-21 20:52:43 -07:00
parent 49a9dc9b8b
commit bceec9fdf5
4 changed files with 100 additions and 74 deletions

View File

@ -31,16 +31,6 @@ resource "aws_security_group_rule" "controller-ssh" {
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
resource "aws_security_group_rule" "controller-apiserver" {
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "tcp"
from_port = 6443
to_port = 6443
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "controller-etcd" { resource "aws_security_group_rule" "controller-etcd" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -51,6 +41,7 @@ resource "aws_security_group_rule" "controller-etcd" {
self = true self = true
} }
# Allow Prometheus to scrape etcd metrics
resource "aws_security_group_rule" "controller-etcd-metrics" { resource "aws_security_group_rule" "controller-etcd-metrics" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -61,6 +52,16 @@ resource "aws_security_group_rule" "controller-etcd-metrics" {
source_security_group_id = "${aws_security_group.worker.id}" source_security_group_id = "${aws_security_group.worker.id}"
} }
resource "aws_security_group_rule" "controller-apiserver" {
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "tcp"
from_port = 6443
to_port = 6443
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "controller-flannel" { resource "aws_security_group_rule" "controller-flannel" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -81,6 +82,7 @@ resource "aws_security_group_rule" "controller-flannel-self" {
self = true self = true
} }
# Allow Prometheus to scrape node-exporter daemonset
resource "aws_security_group_rule" "controller-node-exporter" { resource "aws_security_group_rule" "controller-node-exporter" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -91,6 +93,7 @@ resource "aws_security_group_rule" "controller-node-exporter" {
source_security_group_id = "${aws_security_group.worker.id}" source_security_group_id = "${aws_security_group.worker.id}"
} }
# Allow apiserver to access kubelets for exec, log, port-forward
resource "aws_security_group_rule" "controller-kubelet" { resource "aws_security_group_rule" "controller-kubelet" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -111,6 +114,7 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
self = true self = true
} }
# Allow heapster / metrics-server to scrape kubelet read-only
resource "aws_security_group_rule" "controller-kubelet-read" { resource "aws_security_group_rule" "controller-kubelet-read" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -273,6 +277,7 @@ resource "aws_security_group_rule" "worker-flannel-self" {
self = true self = true
} }
# Allow Prometheus to scrape node-exporter daemonset
resource "aws_security_group_rule" "worker-node-exporter" { resource "aws_security_group_rule" "worker-node-exporter" {
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"
@ -293,6 +298,7 @@ resource "aws_security_group_rule" "ingress-health" {
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
# Allow apiserver to access kubelets for exec, log, port-forward
resource "aws_security_group_rule" "worker-kubelet" { resource "aws_security_group_rule" "worker-kubelet" {
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"
@ -303,6 +309,7 @@ resource "aws_security_group_rule" "worker-kubelet" {
source_security_group_id = "${aws_security_group.controller.id}" source_security_group_id = "${aws_security_group.controller.id}"
} }
# Allow Prometheus to scrape kubelet metrics
resource "aws_security_group_rule" "worker-kubelet-self" { resource "aws_security_group_rule" "worker-kubelet-self" {
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"
@ -313,6 +320,7 @@ resource "aws_security_group_rule" "worker-kubelet-self" {
self = true self = true
} }
# Allow heapster / metrics-server to scrape kubelet read-only
resource "aws_security_group_rule" "worker-kubelet-read" { resource "aws_security_group_rule" "worker-kubelet-read" {
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"

View File

@ -31,16 +31,6 @@ resource "aws_security_group_rule" "controller-ssh" {
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
resource "aws_security_group_rule" "controller-apiserver" {
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "tcp"
from_port = 6443
to_port = 6443
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "controller-etcd" { resource "aws_security_group_rule" "controller-etcd" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -51,6 +41,7 @@ resource "aws_security_group_rule" "controller-etcd" {
self = true self = true
} }
# Allow Prometheus to scrape etcd metrics
resource "aws_security_group_rule" "controller-etcd-metrics" { resource "aws_security_group_rule" "controller-etcd-metrics" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -61,6 +52,16 @@ resource "aws_security_group_rule" "controller-etcd-metrics" {
source_security_group_id = "${aws_security_group.worker.id}" source_security_group_id = "${aws_security_group.worker.id}"
} }
resource "aws_security_group_rule" "controller-apiserver" {
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "tcp"
from_port = 6443
to_port = 6443
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "controller-flannel" { resource "aws_security_group_rule" "controller-flannel" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -81,6 +82,7 @@ resource "aws_security_group_rule" "controller-flannel-self" {
self = true self = true
} }
# Allow Prometheus to scrape node-exporter daemonset
resource "aws_security_group_rule" "controller-node-exporter" { resource "aws_security_group_rule" "controller-node-exporter" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -91,6 +93,7 @@ resource "aws_security_group_rule" "controller-node-exporter" {
source_security_group_id = "${aws_security_group.worker.id}" source_security_group_id = "${aws_security_group.worker.id}"
} }
# Allow apiserver to access kubelets for exec, log, port-forward
resource "aws_security_group_rule" "controller-kubelet" { resource "aws_security_group_rule" "controller-kubelet" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -111,6 +114,7 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
self = true self = true
} }
# Allow heapster / metrics-server to scrape kubelet read-only
resource "aws_security_group_rule" "controller-kubelet-read" { resource "aws_security_group_rule" "controller-kubelet-read" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -273,6 +277,7 @@ resource "aws_security_group_rule" "worker-flannel-self" {
self = true self = true
} }
# Allow Prometheus to scrape node-exporter daemonset
resource "aws_security_group_rule" "worker-node-exporter" { resource "aws_security_group_rule" "worker-node-exporter" {
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"
@ -293,6 +298,7 @@ resource "aws_security_group_rule" "ingress-health" {
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
# Allow apiserver to access kubelets for exec, log, port-forward
resource "aws_security_group_rule" "worker-kubelet" { resource "aws_security_group_rule" "worker-kubelet" {
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"
@ -303,6 +309,7 @@ resource "aws_security_group_rule" "worker-kubelet" {
source_security_group_id = "${aws_security_group.controller.id}" source_security_group_id = "${aws_security_group.controller.id}"
} }
# Allow Prometheus to scrape kubelet metrics
resource "aws_security_group_rule" "worker-kubelet-self" { resource "aws_security_group_rule" "worker-kubelet-self" {
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"
@ -313,6 +320,7 @@ resource "aws_security_group_rule" "worker-kubelet-self" {
self = true self = true
} }
# Allow heapster / metrics-server to scrape kubelet read-only
resource "aws_security_group_rule" "worker-kubelet-read" { resource "aws_security_group_rule" "worker-kubelet-read" {
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"

View File

@ -17,32 +17,6 @@ resource "google_compute_firewall" "allow-ssh" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
} }
resource "google_compute_firewall" "allow-apiserver" {
name = "${var.cluster_name}-allow-apiserver"
network = "${google_compute_network.network.name}"
allow {
protocol = "tcp"
ports = [443]
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["${var.cluster_name}-controller"]
}
resource "google_compute_firewall" "allow-ingress" {
name = "${var.cluster_name}-allow-ingress"
network = "${google_compute_network.network.name}"
allow {
protocol = "tcp"
ports = [80, 443]
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["${var.cluster_name}-worker"]
}
resource "google_compute_firewall" "internal-etcd" { resource "google_compute_firewall" "internal-etcd" {
name = "${var.cluster_name}-internal-etcd" name = "${var.cluster_name}-internal-etcd"
network = "${google_compute_network.network.name}" network = "${google_compute_network.network.name}"
@ -70,6 +44,20 @@ resource "google_compute_firewall" "internal-etcd-metrics" {
target_tags = ["${var.cluster_name}-controller"] target_tags = ["${var.cluster_name}-controller"]
} }
resource "google_compute_firewall" "allow-apiserver" {
name = "${var.cluster_name}-allow-apiserver"
network = "${google_compute_network.network.name}"
allow {
protocol = "tcp"
ports = [443]
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["${var.cluster_name}-controller"]
}
# Calico BGP and IPIP # Calico BGP and IPIP
# https://docs.projectcalico.org/v2.5/reference/public-cloud/gce # https://docs.projectcalico.org/v2.5/reference/public-cloud/gce
resource "google_compute_firewall" "internal-calico" { resource "google_compute_firewall" "internal-calico" {
@ -121,7 +109,7 @@ resource "google_compute_firewall" "internal-node-exporter" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
} }
# kubelet API to allow apiserver exec and log or metrics scraping # Allow apiserver to access kubelets for exec, log, port-forward
resource "google_compute_firewall" "internal-kubelet" { resource "google_compute_firewall" "internal-kubelet" {
name = "${var.cluster_name}-internal-kubelet" name = "${var.cluster_name}-internal-kubelet"
network = "${google_compute_network.network.name}" network = "${google_compute_network.network.name}"
@ -131,6 +119,7 @@ resource "google_compute_firewall" "internal-kubelet" {
ports = [10250] ports = [10250]
} }
# allow Prometheus to scrape kubelet metrics too
source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
} }
@ -149,6 +138,7 @@ resource "google_compute_firewall" "ingress-health" {
target_tags = ["${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-worker"]
} }
# Allow heapster / metrics-server to scrape kubelet read-only
resource "google_compute_firewall" "internal-kubelet-readonly" { resource "google_compute_firewall" "internal-kubelet-readonly" {
name = "${var.cluster_name}-internal-kubelet-readonly" name = "${var.cluster_name}-internal-kubelet-readonly"
network = "${google_compute_network.network.name}" network = "${google_compute_network.network.name}"
@ -162,6 +152,21 @@ resource "google_compute_firewall" "internal-kubelet-readonly" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
} }
# Workers
resource "google_compute_firewall" "allow-ingress" {
name = "${var.cluster_name}-allow-ingress"
network = "${google_compute_network.network.name}"
allow {
protocol = "tcp"
ports = [80, 443]
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["${var.cluster_name}-worker"]
}
resource "google_compute_firewall" "google-health-checks" { resource "google_compute_firewall" "google-health-checks" {
name = "${var.cluster_name}-google-health-checks" name = "${var.cluster_name}-google-health-checks"
network = "${google_compute_network.network.name}" network = "${google_compute_network.network.name}"

View File

@ -17,32 +17,6 @@ resource "google_compute_firewall" "allow-ssh" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
} }
resource "google_compute_firewall" "allow-apiserver" {
name = "${var.cluster_name}-allow-apiserver"
network = "${google_compute_network.network.name}"
allow {
protocol = "tcp"
ports = [443]
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["${var.cluster_name}-controller"]
}
resource "google_compute_firewall" "allow-ingress" {
name = "${var.cluster_name}-allow-ingress"
network = "${google_compute_network.network.name}"
allow {
protocol = "tcp"
ports = [80, 443]
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["${var.cluster_name}-worker"]
}
resource "google_compute_firewall" "internal-etcd" { resource "google_compute_firewall" "internal-etcd" {
name = "${var.cluster_name}-internal-etcd" name = "${var.cluster_name}-internal-etcd"
network = "${google_compute_network.network.name}" network = "${google_compute_network.network.name}"
@ -70,6 +44,20 @@ resource "google_compute_firewall" "internal-etcd-metrics" {
target_tags = ["${var.cluster_name}-controller"] target_tags = ["${var.cluster_name}-controller"]
} }
resource "google_compute_firewall" "allow-apiserver" {
name = "${var.cluster_name}-allow-apiserver"
network = "${google_compute_network.network.name}"
allow {
protocol = "tcp"
ports = [443]
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["${var.cluster_name}-controller"]
}
# Calico BGP and IPIP # Calico BGP and IPIP
# https://docs.projectcalico.org/v2.5/reference/public-cloud/gce # https://docs.projectcalico.org/v2.5/reference/public-cloud/gce
resource "google_compute_firewall" "internal-calico" { resource "google_compute_firewall" "internal-calico" {
@ -121,7 +109,7 @@ resource "google_compute_firewall" "internal-node-exporter" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
} }
# kubelet API to allow apiserver exec and log or metrics scraping # Allow apiserver to access kubelets for exec, log, port-forward
resource "google_compute_firewall" "internal-kubelet" { resource "google_compute_firewall" "internal-kubelet" {
name = "${var.cluster_name}-internal-kubelet" name = "${var.cluster_name}-internal-kubelet"
network = "${google_compute_network.network.name}" network = "${google_compute_network.network.name}"
@ -131,6 +119,7 @@ resource "google_compute_firewall" "internal-kubelet" {
ports = [10250] ports = [10250]
} }
# allow Prometheus to scrape kubelet metrics too
source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
} }
@ -149,6 +138,7 @@ resource "google_compute_firewall" "ingress-health" {
target_tags = ["${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-worker"]
} }
# Allow heapster / metrics-server to scrape kubelet read-only
resource "google_compute_firewall" "internal-kubelet-readonly" { resource "google_compute_firewall" "internal-kubelet-readonly" {
name = "${var.cluster_name}-internal-kubelet-readonly" name = "${var.cluster_name}-internal-kubelet-readonly"
network = "${google_compute_network.network.name}" network = "${google_compute_network.network.name}"
@ -162,6 +152,21 @@ resource "google_compute_firewall" "internal-kubelet-readonly" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
} }
# Workers
resource "google_compute_firewall" "allow-ingress" {
name = "${var.cluster_name}-allow-ingress"
network = "${google_compute_network.network.name}"
allow {
protocol = "tcp"
ports = [80, 443]
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["${var.cluster_name}-worker"]
}
resource "google_compute_firewall" "google-health-checks" { resource "google_compute_firewall" "google-health-checks" {
name = "${var.cluster_name}-google-health-checks" name = "${var.cluster_name}-google-health-checks"
network = "${google_compute_network.network.name}" network = "${google_compute_network.network.name}"