Sort firewall / security rules and add comments

* No functional changes to network firewalls
2024-05-28 18:36:35 +02:00 · 2018-08-21 20:52:43 -07:00 · 2018-08-21 20:52:43 -07:00 · bceec9fdf5
parent 49a9dc9b8b
commit bceec9fdf5
4 changed files with 100 additions and 74 deletions
--- a/aws/container-linux/kubernetes/security.tf
+++ b/aws/container-linux/kubernetes/security.tf
@ -31,16 +31,6 @@ resource "aws_security_group_rule" "controller-ssh" {
  cidr_blocks = ["0.0.0.0/0"]
 }

-resource "aws_security_group_rule" "controller-apiserver" {
-  security_group_id = "${aws_security_group.controller.id}"
-
-  type        = "ingress"
-  protocol    = "tcp"
-  from_port   = 6443
-  to_port     = 6443
-  cidr_blocks = ["0.0.0.0/0"]
-}
-
 resource "aws_security_group_rule" "controller-etcd" {
  security_group_id = "${aws_security_group.controller.id}"

@ -51,6 +41,7 @@ resource "aws_security_group_rule" "controller-etcd" {
  self      = true
 }

+# Allow Prometheus to scrape etcd metrics
 resource "aws_security_group_rule" "controller-etcd-metrics" {
  security_group_id = "${aws_security_group.controller.id}"

@ -61,6 +52,16 @@ resource "aws_security_group_rule" "controller-etcd-metrics" {
  source_security_group_id = "${aws_security_group.worker.id}"
 }

+resource "aws_security_group_rule" "controller-apiserver" {
+  security_group_id = "${aws_security_group.controller.id}"
+
+  type        = "ingress"
+  protocol    = "tcp"
+  from_port   = 6443
+  to_port     = 6443
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
 resource "aws_security_group_rule" "controller-flannel" {
  security_group_id = "${aws_security_group.controller.id}"

@ -81,6 +82,7 @@ resource "aws_security_group_rule" "controller-flannel-self" {
  self      = true
 }

+# Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "controller-node-exporter" {
  security_group_id = "${aws_security_group.controller.id}"

@ -91,6 +93,7 @@ resource "aws_security_group_rule" "controller-node-exporter" {
  source_security_group_id = "${aws_security_group.worker.id}"
 }

+# Allow apiserver to access kubelets for exec, log, port-forward
 resource "aws_security_group_rule" "controller-kubelet" {
  security_group_id = "${aws_security_group.controller.id}"

@ -111,6 +114,7 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
  self      = true
 }

+# Allow heapster / metrics-server to scrape kubelet read-only
 resource "aws_security_group_rule" "controller-kubelet-read" {
  security_group_id = "${aws_security_group.controller.id}"

@ -273,6 +277,7 @@ resource "aws_security_group_rule" "worker-flannel-self" {
  self      = true
 }

+# Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "worker-node-exporter" {
  security_group_id = "${aws_security_group.worker.id}"

@ -293,6 +298,7 @@ resource "aws_security_group_rule" "ingress-health" {
  cidr_blocks = ["0.0.0.0/0"]
 }

+# Allow apiserver to access kubelets for exec, log, port-forward
 resource "aws_security_group_rule" "worker-kubelet" {
  security_group_id = "${aws_security_group.worker.id}"

@ -303,6 +309,7 @@ resource "aws_security_group_rule" "worker-kubelet" {
  source_security_group_id = "${aws_security_group.controller.id}"
 }

+# Allow Prometheus to scrape kubelet metrics
 resource "aws_security_group_rule" "worker-kubelet-self" {
  security_group_id = "${aws_security_group.worker.id}"

@ -313,6 +320,7 @@ resource "aws_security_group_rule" "worker-kubelet-self" {
  self      = true
 }

+# Allow heapster / metrics-server to scrape kubelet read-only
 resource "aws_security_group_rule" "worker-kubelet-read" {
  security_group_id = "${aws_security_group.worker.id}"

--- a/aws/fedora-atomic/kubernetes/security.tf
+++ b/aws/fedora-atomic/kubernetes/security.tf
@ -31,16 +31,6 @@ resource "aws_security_group_rule" "controller-ssh" {
  cidr_blocks = ["0.0.0.0/0"]
 }

-resource "aws_security_group_rule" "controller-apiserver" {
-  security_group_id = "${aws_security_group.controller.id}"
-
-  type        = "ingress"
-  protocol    = "tcp"
-  from_port   = 6443
-  to_port     = 6443
-  cidr_blocks = ["0.0.0.0/0"]
-}
-
 resource "aws_security_group_rule" "controller-etcd" {
  security_group_id = "${aws_security_group.controller.id}"

@ -51,6 +41,7 @@ resource "aws_security_group_rule" "controller-etcd" {
  self      = true
 }

+# Allow Prometheus to scrape etcd metrics
 resource "aws_security_group_rule" "controller-etcd-metrics" {
  security_group_id = "${aws_security_group.controller.id}"

@ -61,6 +52,16 @@ resource "aws_security_group_rule" "controller-etcd-metrics" {
  source_security_group_id = "${aws_security_group.worker.id}"
 }

+resource "aws_security_group_rule" "controller-apiserver" {
+  security_group_id = "${aws_security_group.controller.id}"
+
+  type        = "ingress"
+  protocol    = "tcp"
+  from_port   = 6443
+  to_port     = 6443
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
 resource "aws_security_group_rule" "controller-flannel" {
  security_group_id = "${aws_security_group.controller.id}"

@ -81,6 +82,7 @@ resource "aws_security_group_rule" "controller-flannel-self" {
  self      = true
 }

+# Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "controller-node-exporter" {
  security_group_id = "${aws_security_group.controller.id}"

@ -91,6 +93,7 @@ resource "aws_security_group_rule" "controller-node-exporter" {
  source_security_group_id = "${aws_security_group.worker.id}"
 }

+# Allow apiserver to access kubelets for exec, log, port-forward
 resource "aws_security_group_rule" "controller-kubelet" {
  security_group_id = "${aws_security_group.controller.id}"

@ -111,6 +114,7 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
  self      = true
 }

+# Allow heapster / metrics-server to scrape kubelet read-only
 resource "aws_security_group_rule" "controller-kubelet-read" {
  security_group_id = "${aws_security_group.controller.id}"

@ -273,6 +277,7 @@ resource "aws_security_group_rule" "worker-flannel-self" {
  self      = true
 }

+# Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "worker-node-exporter" {
  security_group_id = "${aws_security_group.worker.id}"

@ -293,6 +298,7 @@ resource "aws_security_group_rule" "ingress-health" {
  cidr_blocks = ["0.0.0.0/0"]
 }

+# Allow apiserver to access kubelets for exec, log, port-forward
 resource "aws_security_group_rule" "worker-kubelet" {
  security_group_id = "${aws_security_group.worker.id}"

@ -303,6 +309,7 @@ resource "aws_security_group_rule" "worker-kubelet" {
  source_security_group_id = "${aws_security_group.controller.id}"
 }

+# Allow Prometheus to scrape kubelet metrics
 resource "aws_security_group_rule" "worker-kubelet-self" {
  security_group_id = "${aws_security_group.worker.id}"

@ -313,6 +320,7 @@ resource "aws_security_group_rule" "worker-kubelet-self" {
  self      = true
 }

+# Allow heapster / metrics-server to scrape kubelet read-only
 resource "aws_security_group_rule" "worker-kubelet-read" {
  security_group_id = "${aws_security_group.worker.id}"

--- a/google-cloud/container-linux/kubernetes/network.tf
+++ b/google-cloud/container-linux/kubernetes/network.tf
@ -17,32 +17,6 @@ resource "google_compute_firewall" "allow-ssh" {
  target_tags   = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
 }

-resource "google_compute_firewall" "allow-apiserver" {
-  name    = "${var.cluster_name}-allow-apiserver"
-  network = "${google_compute_network.network.name}"
-
-  allow {
-    protocol = "tcp"
-    ports    = [443]
-  }
-
-  source_ranges = ["0.0.0.0/0"]
-  target_tags   = ["${var.cluster_name}-controller"]
-}
-
-resource "google_compute_firewall" "allow-ingress" {
-  name    = "${var.cluster_name}-allow-ingress"
-  network = "${google_compute_network.network.name}"
-
-  allow {
-    protocol = "tcp"
-    ports    = [80, 443]
-  }
-
-  source_ranges = ["0.0.0.0/0"]
-  target_tags   = ["${var.cluster_name}-worker"]
-}
-
 resource "google_compute_firewall" "internal-etcd" {
  name    = "${var.cluster_name}-internal-etcd"
  network = "${google_compute_network.network.name}"
@ -70,6 +44,20 @@ resource "google_compute_firewall" "internal-etcd-metrics" {
  target_tags = ["${var.cluster_name}-controller"]
 }

+resource "google_compute_firewall" "allow-apiserver" {
+  name    = "${var.cluster_name}-allow-apiserver"
+  network = "${google_compute_network.network.name}"
+
+  allow {
+    protocol = "tcp"
+    ports    = [443]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["${var.cluster_name}-controller"]
+}
+
+
 # Calico BGP and IPIP
 # https://docs.projectcalico.org/v2.5/reference/public-cloud/gce
 resource "google_compute_firewall" "internal-calico" {
@ -121,7 +109,7 @@ resource "google_compute_firewall" "internal-node-exporter" {
  target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
 }

-# kubelet API to allow apiserver exec and log or metrics scraping
+# Allow apiserver to access kubelets for exec, log, port-forward
 resource "google_compute_firewall" "internal-kubelet" {
  name    = "${var.cluster_name}-internal-kubelet"
  network = "${google_compute_network.network.name}"
@ -131,6 +119,7 @@ resource "google_compute_firewall" "internal-kubelet" {
    ports    = [10250]
  }

+  # allow Prometheus to scrape kubelet metrics too
  source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
  target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
 }
@ -149,6 +138,7 @@ resource "google_compute_firewall" "ingress-health" {
  target_tags = ["${var.cluster_name}-worker"]
 }

+# Allow heapster / metrics-server to scrape kubelet read-only
 resource "google_compute_firewall" "internal-kubelet-readonly" {
  name    = "${var.cluster_name}-internal-kubelet-readonly"
  network = "${google_compute_network.network.name}"
@ -162,6 +152,21 @@ resource "google_compute_firewall" "internal-kubelet-readonly" {
  target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
 }

+# Workers
+
+resource "google_compute_firewall" "allow-ingress" {
+  name    = "${var.cluster_name}-allow-ingress"
+  network = "${google_compute_network.network.name}"
+
+  allow {
+    protocol = "tcp"
+    ports    = [80, 443]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["${var.cluster_name}-worker"]
+}
+
 resource "google_compute_firewall" "google-health-checks" {
  name = "${var.cluster_name}-google-health-checks"
  network = "${google_compute_network.network.name}"
--- a/google-cloud/fedora-atomic/kubernetes/network.tf
+++ b/google-cloud/fedora-atomic/kubernetes/network.tf
@ -17,32 +17,6 @@ resource "google_compute_firewall" "allow-ssh" {
  target_tags   = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
 }

-resource "google_compute_firewall" "allow-apiserver" {
-  name    = "${var.cluster_name}-allow-apiserver"
-  network = "${google_compute_network.network.name}"
-
-  allow {
-    protocol = "tcp"
-    ports    = [443]
-  }
-
-  source_ranges = ["0.0.0.0/0"]
-  target_tags   = ["${var.cluster_name}-controller"]
-}
-
-resource "google_compute_firewall" "allow-ingress" {
-  name    = "${var.cluster_name}-allow-ingress"
-  network = "${google_compute_network.network.name}"
-
-  allow {
-    protocol = "tcp"
-    ports    = [80, 443]
-  }
-
-  source_ranges = ["0.0.0.0/0"]
-  target_tags   = ["${var.cluster_name}-worker"]
-}
-
 resource "google_compute_firewall" "internal-etcd" {
  name    = "${var.cluster_name}-internal-etcd"
  network = "${google_compute_network.network.name}"
@ -70,6 +44,20 @@ resource "google_compute_firewall" "internal-etcd-metrics" {
  target_tags = ["${var.cluster_name}-controller"]
 }

+resource "google_compute_firewall" "allow-apiserver" {
+  name    = "${var.cluster_name}-allow-apiserver"
+  network = "${google_compute_network.network.name}"
+
+  allow {
+    protocol = "tcp"
+    ports    = [443]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["${var.cluster_name}-controller"]
+}
+
+
 # Calico BGP and IPIP
 # https://docs.projectcalico.org/v2.5/reference/public-cloud/gce
 resource "google_compute_firewall" "internal-calico" {
@ -121,7 +109,7 @@ resource "google_compute_firewall" "internal-node-exporter" {
  target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
 }

-# kubelet API to allow apiserver exec and log or metrics scraping
+# Allow apiserver to access kubelets for exec, log, port-forward
 resource "google_compute_firewall" "internal-kubelet" {
  name    = "${var.cluster_name}-internal-kubelet"
  network = "${google_compute_network.network.name}"
@ -131,6 +119,7 @@ resource "google_compute_firewall" "internal-kubelet" {
    ports    = [10250]
  }

+  # allow Prometheus to scrape kubelet metrics too
  source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
  target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
 }
@ -149,6 +138,7 @@ resource "google_compute_firewall" "ingress-health" {
  target_tags = ["${var.cluster_name}-worker"]
 }

+# Allow heapster / metrics-server to scrape kubelet read-only
 resource "google_compute_firewall" "internal-kubelet-readonly" {
  name    = "${var.cluster_name}-internal-kubelet-readonly"
  network = "${google_compute_network.network.name}"
@ -162,6 +152,21 @@ resource "google_compute_firewall" "internal-kubelet-readonly" {
  target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
 }

+# Workers
+
+resource "google_compute_firewall" "allow-ingress" {
+  name    = "${var.cluster_name}-allow-ingress"
+  network = "${google_compute_network.network.name}"
+
+  allow {
+    protocol = "tcp"
+    ports    = [80, 443]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["${var.cluster_name}-worker"]
+}
+
 resource "google_compute_firewall" "google-health-checks" {
  name = "${var.cluster_name}-google-health-checks"
  network = "${google_compute_network.network.name}"