mirror of
https://github.com/puppetmaster/typhoon.git
synced 2024-12-27 22:39:32 +01:00
be29f52039
* Add an `enable_aggregation` variable to enable the kube-apiserver aggregation layer for adding extension apiservers to clusters * Aggregation is **disabled** by default. Typhoon recommends you not enable aggregation. Consider whether less invasive ways to achieve your goals are possible and whether those goals are well-founded * Enabling aggregation and extension apiservers increases the attack surface of a cluster and makes extensions a part of the control plane. Admins must scrutinize and trust any extension apiserver used. * Passing a v1.14 CNCF conformance test requires aggregation be enabled. Having an option for aggregation keeps compliance, but retains the stricter security posture on default clusters
99 lines
2.4 KiB
HCL
99 lines
2.4 KiB
HCL
resource "digitalocean_firewall" "rules" {
|
|
name = "${var.cluster_name}"
|
|
|
|
tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
|
|
|
|
# allow ssh, internal flannel, internal node-exporter, internal kubelet
|
|
inbound_rule = [
|
|
{
|
|
protocol = "tcp"
|
|
port_range = "22"
|
|
source_addresses = ["0.0.0.0/0", "::/0"]
|
|
},
|
|
{
|
|
protocol = "udp"
|
|
port_range = "8472"
|
|
source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"]
|
|
},
|
|
{
|
|
protocol = "tcp"
|
|
port_range = "9100"
|
|
source_tags = ["${digitalocean_tag.workers.name}"]
|
|
},
|
|
{
|
|
protocol = "tcp"
|
|
port_range = "10250"
|
|
source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"]
|
|
},
|
|
]
|
|
|
|
# allow all outbound traffic
|
|
outbound_rule = [
|
|
{
|
|
protocol = "tcp"
|
|
port_range = "1-65535"
|
|
destination_addresses = ["0.0.0.0/0", "::/0"]
|
|
},
|
|
{
|
|
protocol = "udp"
|
|
port_range = "1-65535"
|
|
destination_addresses = ["0.0.0.0/0", "::/0"]
|
|
},
|
|
{
|
|
protocol = "icmp"
|
|
port_range = "1-65535"
|
|
destination_addresses = ["0.0.0.0/0", "::/0"]
|
|
},
|
|
]
|
|
}
|
|
|
|
resource "digitalocean_firewall" "controllers" {
|
|
name = "${var.cluster_name}-controllers"
|
|
|
|
tags = ["${var.cluster_name}-controller"]
|
|
|
|
# etcd, kube-apiserver, kubelet
|
|
inbound_rule = [
|
|
{
|
|
protocol = "tcp"
|
|
port_range = "2379-2380"
|
|
source_tags = ["${digitalocean_tag.controllers.name}"]
|
|
},
|
|
{
|
|
protocol = "tcp"
|
|
port_range = "2381"
|
|
source_tags = ["${digitalocean_tag.workers.name}"]
|
|
},
|
|
{
|
|
protocol = "tcp"
|
|
port_range = "6443"
|
|
source_addresses = ["0.0.0.0/0", "::/0"]
|
|
},
|
|
]
|
|
}
|
|
|
|
resource "digitalocean_firewall" "workers" {
|
|
name = "${var.cluster_name}-workers"
|
|
|
|
tags = ["${var.cluster_name}-worker"]
|
|
|
|
# allow HTTP/HTTPS ingress
|
|
inbound_rule = [
|
|
{
|
|
protocol = "tcp"
|
|
port_range = "80"
|
|
source_addresses = ["0.0.0.0/0", "::/0"]
|
|
},
|
|
{
|
|
protocol = "tcp"
|
|
port_range = "443"
|
|
source_addresses = ["0.0.0.0/0", "::/0"]
|
|
},
|
|
{
|
|
protocol = "tcp"
|
|
port_range = "10254"
|
|
source_addresses = ["0.0.0.0/0"]
|
|
},
|
|
]
|
|
}
|