diff --git a/.kitchen.yml b/.kitchen.yml index e24761646a..990647db85 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -51,6 +51,12 @@ suites: systems: - name: safer_cluster backend: local + controls: + - gcloud + - name: inspec-gcp + backend: gcp + controls: + - network - name: "simple_regional" driver: root_module_directory: test/fixtures/simple_regional diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index a4266ec9a1..2de1e4efe7 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -509,7 +509,7 @@ resource "google_container_node_pool" "pools" { {% endif %} shielded_instance_config { - enable_secure_boot = lookup(each.value, "enable_secure_boot", false) + enable_secure_boot = lookup(each.value, "enable_secure_boot", false) enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) } } diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl index 8e53b6eee3..f722e8494e 100644 --- a/autogen/main/firewall.tf.tmpl +++ b/autogen/main/firewall.tf.tmpl @@ -48,9 +48,11 @@ resource "google_compute_firewall" "intra_egress" { allow { protocol = "esp" } allow { protocol = "ah" } + {% if not private_cluster %} depends_on = [ google_container_cluster.primary, ] + {% endif %} } @@ -77,8 +79,10 @@ resource "google_compute_firewall" "master_webhooks" { ports = var.firewall_inbound_ports } + {% if not private_cluster %} depends_on = [ google_container_cluster.primary, ] + {% endif %} } diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index cef7a38d55..5270137dc1 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -49,6 +49,10 @@ module "gke" { ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services + add_cluster_firewall_rules = var.add_cluster_firewall_rules + firewall_priority = var.firewall_priority + firewall_inbound_ports = var.firewall_inbound_ports + horizontal_pod_autoscaling = var.horizontal_pod_autoscaling http_load_balancing = var.http_load_balancing diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index e419f63858..64dde3d743 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -342,3 +342,21 @@ variable "gce_pd_csi_driver" { description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = true } + +variable "add_cluster_firewall_rules" { + type = bool + description = "Create additional firewall rules" + default = false +} + +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 +} + +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers" + default = ["8443", "9443", "15017"] +} diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index 6e4630a211..2533f58624 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -49,6 +49,8 @@ module "gke" { ip_range_services = local.svc_range_name compute_engine_service_account = var.compute_engine_service_account master_ipv4_cidr_block = "172.16.0.0/28" + add_cluster_firewall_rules = true + firewall_inbound_ports = ["9443", "15017"] master_authorized_networks = [ { diff --git a/modules/beta-private-cluster-update-variant/firewall.tf b/modules/beta-private-cluster-update-variant/firewall.tf index 0d0fa07186..a3eef6b58c 100644 --- a/modules/beta-private-cluster-update-variant/firewall.tf +++ b/modules/beta-private-cluster-update-variant/firewall.tf @@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" { allow { protocol = "esp" } allow { protocol = "ah" } - depends_on = [ - google_container_cluster.primary, - ] } @@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" { ports = var.firewall_inbound_ports } - depends_on = [ - google_container_cluster.primary, - ] } diff --git a/modules/beta-private-cluster/firewall.tf b/modules/beta-private-cluster/firewall.tf index 0d0fa07186..a3eef6b58c 100644 --- a/modules/beta-private-cluster/firewall.tf +++ b/modules/beta-private-cluster/firewall.tf @@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" { allow { protocol = "esp" } allow { protocol = "ah" } - depends_on = [ - google_container_cluster.primary, - ] } @@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" { ports = var.firewall_inbound_ports } - depends_on = [ - google_container_cluster.primary, - ] } diff --git a/modules/private-cluster-update-variant/firewall.tf b/modules/private-cluster-update-variant/firewall.tf index 0d0fa07186..a3eef6b58c 100644 --- a/modules/private-cluster-update-variant/firewall.tf +++ b/modules/private-cluster-update-variant/firewall.tf @@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" { allow { protocol = "esp" } allow { protocol = "ah" } - depends_on = [ - google_container_cluster.primary, - ] } @@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" { ports = var.firewall_inbound_ports } - depends_on = [ - google_container_cluster.primary, - ] } diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index 0d0fa07186..a3eef6b58c 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" { allow { protocol = "esp" } allow { protocol = "ah" } - depends_on = [ - google_container_cluster.primary, - ] } @@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" { ports = var.firewall_inbound_ports } - depends_on = [ - google_container_cluster.primary, - ] } diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index b0f48354b4..3d9a16630a 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -200,6 +200,7 @@ For simplicity, we suggest using `roles/container.admin` and | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| add\_cluster\_firewall\_rules | Create additional firewall rules | bool | `"false"` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `` | no | @@ -214,6 +215,8 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | +| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `` | no | +| firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no | | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"true"` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 7e04c87810..d259f17943 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -45,6 +45,10 @@ module "gke" { ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services + add_cluster_firewall_rules = var.add_cluster_firewall_rules + firewall_priority = var.firewall_priority + firewall_inbound_ports = var.firewall_inbound_ports + horizontal_pod_autoscaling = var.horizontal_pod_autoscaling http_load_balancing = var.http_load_balancing diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 5ba7565314..8340f1d82a 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -342,3 +342,21 @@ variable "gce_pd_csi_driver" { description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = true } + +variable "add_cluster_firewall_rules" { + type = bool + description = "Create additional firewall rules" + default = false +} + +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 +} + +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers" + default = ["8443", "9443", "15017"] +} diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index b0f48354b4..3d9a16630a 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -200,6 +200,7 @@ For simplicity, we suggest using `roles/container.admin` and | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| add\_cluster\_firewall\_rules | Create additional firewall rules | bool | `"false"` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `` | no | @@ -214,6 +215,8 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | +| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `` | no | +| firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no | | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"true"` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 4e89dc1544..853919227b 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -45,6 +45,10 @@ module "gke" { ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services + add_cluster_firewall_rules = var.add_cluster_firewall_rules + firewall_priority = var.firewall_priority + firewall_inbound_ports = var.firewall_inbound_ports + horizontal_pod_autoscaling = var.horizontal_pod_autoscaling http_load_balancing = var.http_load_balancing diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 5ba7565314..8340f1d82a 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -342,3 +342,21 @@ variable "gce_pd_csi_driver" { description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = true } + +variable "add_cluster_firewall_rules" { + type = bool + description = "Create additional firewall rules" + default = false +} + +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 +} + +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers" + default = ["8443", "9443", "15017"] +} diff --git a/test/integration/safer_cluster/controls/network.rb b/test/integration/safer_cluster/controls/network.rb new file mode 100644 index 0000000000..8c5ef13fb7 --- /dev/null +++ b/test/integration/safer_cluster/controls/network.rb @@ -0,0 +1,25 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +project_id = attribute('project_id') +cluster_name = attribute('cluster_name') + +control "network" do + title "gcp network configuration" + describe google_compute_firewalls(project: project_id) do + its('firewall_names') { should include "gke-#{cluster_name[0,25]}-intra-cluster-egress" } + its('firewall_names') { should include "gke-#{cluster_name[0,25]}-webhooks" } + end + +end diff --git a/test/integration/safer_cluster/inspec.yml b/test/integration/safer_cluster/inspec.yml index b7174cb88e..9598176a36 100644 --- a/test/integration/safer_cluster/inspec.yml +++ b/test/integration/safer_cluster/inspec.yml @@ -1,4 +1,8 @@ name: safer_cluster +depends: + - name: inspec-gcp + git: https://github.com/inspec/inspec-gcp.git + tag: v0.11.0 attributes: - name: project_id required: true