Add firewall and security rules for Cilium/Hubble metrics

* Add firewall or security riles to allow node-to-node traffic on ports 9962-9965 for Cilium and Hubble metrics. Cilium runs with host network, so these require cloud firewall changes
2025-07-30 16:41:33 +02:00 · 2024-05-13 08:38:36 -07:00
parent 1d63592c42
commit cc80ec9b98
9 changed files with 199 additions and 12 deletions
--- a/azure/flatcar-linux/kubernetes/security.tf
+++ b/azure/flatcar-linux/kubernetes/security.tf
@ -121,7 +121,7 @@ resource "azurerm_network_security_rule" "controller-cilium-health" {

  name                         = "allow-cilium-health"
  network_security_group_name  = azurerm_network_security_group.controller.name
-  priority                     = "2019"
+  priority                     = "2018"
  access                       = "Allow"
  direction                    = "Inbound"
  protocol                     = "Tcp"
@ -131,6 +131,22 @@ resource "azurerm_network_security_rule" "controller-cilium-health" {
  destination_address_prefixes = azurerm_subnet.controller.address_prefixes
 }

+resource "azurerm_network_security_rule" "controller-cilium-metrics" {
+  resource_group_name = azurerm_resource_group.cluster.name
+  count               = var.networking == "cilium" ? 1 : 0
+
+  name                         = "allow-cilium-metrics"
+  network_security_group_name  = azurerm_network_security_group.controller.name
+  priority                     = "2019"
+  access                       = "Allow"
+  direction                    = "Inbound"
+  protocol                     = "Tcp"
+  source_port_range            = "*"
+  destination_port_range       = "9962-9965"
+  source_address_prefixes      = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes)
+  destination_address_prefixes = azurerm_subnet.controller.address_prefixes
+}
+
 resource "azurerm_network_security_rule" "controller-vxlan" {
  resource_group_name = azurerm_resource_group.cluster.name

@ -303,7 +319,7 @@ resource "azurerm_network_security_rule" "worker-cilium-health" {

  name                         = "allow-cilium-health"
  network_security_group_name  = azurerm_network_security_group.worker.name
-  priority                     = "2014"
+  priority                     = "2013"
  access                       = "Allow"
  direction                    = "Inbound"
  protocol                     = "Tcp"
@ -313,6 +329,22 @@ resource "azurerm_network_security_rule" "worker-cilium-health" {
  destination_address_prefixes = azurerm_subnet.worker.address_prefixes
 }

+resource "azurerm_network_security_rule" "worker-cilium-metrics" {
+  resource_group_name = azurerm_resource_group.cluster.name
+  count               = var.networking == "cilium" ? 1 : 0
+
+  name                         = "allow-cilium-metrics"
+  network_security_group_name  = azurerm_network_security_group.worker.name
+  priority                     = "2014"
+  access                       = "Allow"
+  direction                    = "Inbound"
+  protocol                     = "Tcp"
+  source_port_range            = "*"
+  destination_port_range       = "9962-9965"
+  source_address_prefixes      = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes)
+  destination_address_prefixes = azurerm_subnet.worker.address_prefixes
+}
+
 resource "azurerm_network_security_rule" "worker-vxlan" {
  resource_group_name = azurerm_resource_group.cluster.name