Merge pull request #202 from kinvolk/invidian/firewall-improvements

Packet: improve bootstrap iptables rules

assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/calico-host-protection.yaml.tmpl

@@ -3,7 +3,7 @@ clusterCIDRs:
 - ${cidr}
 %{ endfor ~}
 managementCIDRs:
-%{ for cidr in management_cidrs ~}
+%{~ for cidr in management_cidrs }
 - ${cidr}
 %{~ endfor }
 hostEndpoints:

assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/cl/controller.yaml.tmpl

@@ -267,10 +267,12 @@ storage:
           :OUTPUT ACCEPT [0:0]
           -A INPUT -i lo -j ACCEPT
           -A INPUT -p tcp --dport 22 -j ACCEPT
-          -A INPUT -p tcp --dport 179 -j ACCEPT
-          -A INPUT -p tcp --dport 2379 -j ACCEPT
-          -A INPUT -p tcp --dport 2380 -j ACCEPT
-          -A INPUT -p tcp --dport 2381 -j ACCEPT
+          # Use 10.0.0.0/8 as this is Packet private network CIDR.
+          # It will be closed more tightly via Calico, which rules are easy to update.
+          -A INPUT -s 10.0.0.0/8 -p tcp --dport 179 -j ACCEPT
+          -A INPUT -s 10.0.0.0/8 -p tcp --dport 2379 -j ACCEPT
+          -A INPUT -s 10.0.0.0/8 -p tcp --dport 2380 -j ACCEPT
+          -A INPUT -s 10.0.0.0/8 -p tcp --dport 2381 -j ACCEPT
           -A INPUT -p tcp --dport 6443 -j ACCEPT
           # With single controller node setup, the traffic from nodes to kube-apiserver may flow via either port 6443 or 7443.
           # This is because --advertise-address flag of kube-apiserver defines which IP address will be added as an endpoint
@@ -287,10 +289,10 @@ storage:
           #
           # That's why we need both port 6443 and 7443 to be opened on controller node.
           %{~ if controller_count == "1" ~}
-          -A INPUT -p tcp --dport 7443 -j ACCEPT
+          -A INPUT -s 10.0.0.0/8 -p tcp --dport 7443 -j ACCEPT
           %{~ endif }
-          -A INPUT -p tcp --dport 10250 -j ACCEPT
-          -A INPUT -p tcp --dport 10256 -j ACCEPT
+          -A INPUT -s 10.0.0.0/8 -p tcp --dport 10250 -j ACCEPT
+          -A INPUT -s 10.0.0.0/8 -p tcp --dport 10256 -j ACCEPT
           -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
           COMMIT
     - path: /var/lib/ip6tables/rules-save

assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/controllers.tf

@@ -66,36 +66,21 @@ resource "packet_device" "controllers" {
 }
 
 data "ct_config" "controller-install-ignitions" {
-  count   = var.controller_count
-  content = data.template_file.controller-install[count.index].rendered
-}
-
-data "template_file" "controller-install" {
-  count    = var.controller_count
-  template = file("${path.module}/cl/controller-install.yaml.tmpl")
-
-  vars = {
+  count = var.controller_count
+  content = templatefile("${path.module}/cl/controller-install.yaml.tmpl", {
     os_channel           = var.os_channel
     os_version           = var.os_version
     os_arch              = var.os_arch
     flatcar_linux_oem    = "packet"
     ssh_keys             = jsonencode(var.ssh_keys)
     postinstall_ignition = data.ct_config.controller-ignitions[count.index].rendered
-  }
+  })
 }
 
 data "ct_config" "controller-ignitions" {
   count    = var.controller_count
   platform = "packet"
-  content  = data.template_file.controller-configs[count.index].rendered
-  snippets = var.controller_clc_snippets
-}
-
-data "template_file" "controller-configs" {
-  count    = var.controller_count
-  template = file("${path.module}/cl/controller.yaml.tmpl")
-
-  vars = {
+  content = templatefile("${path.module}/cl/controller.yaml.tmpl", {
     os_arch = var.os_arch
     # Cannot use cyclic dependencies on controllers or their DNS records
     etcd_name            = "etcd${count.index}"
@@ -114,7 +99,8 @@ data "template_file" "controller-configs" {
     # on quay prevent us from downloading ACI correctly.
     # So it's workaround to download arm64 images until quay images could be fixed.
     image_arch_url_prefix = var.os_arch == "arm64" ? "docker://" : ""
-  }
+  })
+  snippets = var.controller_clc_snippets
 }
 
 data "template_file" "etcds" {

assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/workers/cl/worker.yaml.tmpl

@@ -316,9 +316,11 @@ storage:
           :OUTPUT ACCEPT [0:0]
           -A INPUT -i lo -j ACCEPT
           -A INPUT -p tcp --dport 22 -j ACCEPT
-          -A INPUT -p tcp --dport 179 -j ACCEPT
-          -A INPUT -p tcp --dport 10250 -j ACCEPT
-          -A INPUT -p tcp --dport 10256 -j ACCEPT
+          # Use 10.0.0.0/8 as this is Packet private network CIDR.
+          # It will be closed more tightly via Calico, which rules are easy to update.
+          -A INPUT -s 10.0.0.0/8 -p tcp --dport 179 -j ACCEPT
+          -A INPUT -s 10.0.0.0/8 -p tcp --dport 10250 -j ACCEPT
+          -A INPUT -s 10.0.0.0/8 -p tcp --dport 10256 -j ACCEPT
           -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
           COMMIT
     - path: /var/lib/ip6tables/rules-save

assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/workers/workers.tf

@@ -24,22 +24,16 @@ resource "packet_device" "nodes" {
   depends_on = [var.nodes_depend_on]
 }
 
-data "ct_config" "install-ignitions" {
-  content = data.template_file.install.rendered
-}
-
 # These configs are used for the fist boot, to run flatcar-install
-data "template_file" "install" {
-  template = file("${path.module}/cl/install.yaml.tmpl")
-
-  vars = {
+data "ct_config" "install-ignitions" {
+  content = templatefile("${path.module}/cl/install.yaml.tmpl", {
     os_channel           = var.os_channel
     os_version           = var.os_version
     os_arch              = var.os_arch
     flatcar_linux_oem    = "packet"
     ssh_keys             = jsonencode(var.ssh_keys)
     postinstall_ignition = data.ct_config.ignitions.rendered
-  }
+  })
 }
 
 resource "packet_bgp_session" "bgp" {