From 7ce3c497e4c6ddaf2da393d03d82b7f43ab329ee Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Tue, 23 Jun 2020 05:51:33 +0100 Subject: [PATCH] feat: Add firewall support safer-cluster modules (#570) --- .kitchen.yml | 6 +++++ autogen/main/cluster.tf.tmpl | 2 +- autogen/main/firewall.tf.tmpl | 4 +++ autogen/safer-cluster/main.tf.tmpl | 4 +++ autogen/safer-cluster/variables.tf.tmpl | 18 +++++++++++++ examples/safer_cluster/main.tf | 2 ++ .../firewall.tf | 6 ----- modules/beta-private-cluster/firewall.tf | 6 ----- .../firewall.tf | 6 ----- modules/private-cluster/firewall.tf | 6 ----- .../safer-cluster-update-variant/README.md | 3 +++ modules/safer-cluster-update-variant/main.tf | 4 +++ .../safer-cluster-update-variant/variables.tf | 18 +++++++++++++ modules/safer-cluster/README.md | 3 +++ modules/safer-cluster/main.tf | 4 +++ modules/safer-cluster/variables.tf | 18 +++++++++++++ .../safer_cluster/controls/network.rb | 25 +++++++++++++++++++ test/integration/safer_cluster/inspec.yml | 4 +++ 18 files changed, 114 insertions(+), 25 deletions(-) create mode 100644 test/integration/safer_cluster/controls/network.rb diff --git a/.kitchen.yml b/.kitchen.yml index e24761646..990647db8 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -51,6 +51,12 @@ suites: systems: - name: safer_cluster backend: local + controls: + - gcloud + - name: inspec-gcp + backend: gcp + controls: + - network - name: "simple_regional" driver: root_module_directory: test/fixtures/simple_regional diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index a4266ec9a..2de1e4efe 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -509,7 +509,7 @@ resource "google_container_node_pool" "pools" { {% endif %} shielded_instance_config { - enable_secure_boot = lookup(each.value, "enable_secure_boot", false) + enable_secure_boot = lookup(each.value, "enable_secure_boot", false) enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) } } diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl index 8e53b6eee..f722e8494 100644 --- a/autogen/main/firewall.tf.tmpl +++ b/autogen/main/firewall.tf.tmpl @@ -48,9 +48,11 @@ resource "google_compute_firewall" "intra_egress" { allow { protocol = "esp" } allow { protocol = "ah" } + {% if not private_cluster %} depends_on = [ google_container_cluster.primary, ] + {% endif %} } @@ -77,8 +79,10 @@ resource "google_compute_firewall" "master_webhooks" { ports = var.firewall_inbound_ports } + {% if not private_cluster %} depends_on = [ google_container_cluster.primary, ] + {% endif %} } diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index cef7a38d5..5270137dc 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -49,6 +49,10 @@ module "gke" { ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services + add_cluster_firewall_rules = var.add_cluster_firewall_rules + firewall_priority = var.firewall_priority + firewall_inbound_ports = var.firewall_inbound_ports + horizontal_pod_autoscaling = var.horizontal_pod_autoscaling http_load_balancing = var.http_load_balancing diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index e419f6385..64dde3d74 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -342,3 +342,21 @@ variable "gce_pd_csi_driver" { description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = true } + +variable "add_cluster_firewall_rules" { + type = bool + description = "Create additional firewall rules" + default = false +} + +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 +} + +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers" + default = ["8443", "9443", "15017"] +} diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index 6e4630a21..2533f5862 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -49,6 +49,8 @@ module "gke" { ip_range_services = local.svc_range_name compute_engine_service_account = var.compute_engine_service_account master_ipv4_cidr_block = "172.16.0.0/28" + add_cluster_firewall_rules = true + firewall_inbound_ports = ["9443", "15017"] master_authorized_networks = [ { diff --git a/modules/beta-private-cluster-update-variant/firewall.tf b/modules/beta-private-cluster-update-variant/firewall.tf index 0d0fa0718..a3eef6b58 100644 --- a/modules/beta-private-cluster-update-variant/firewall.tf +++ b/modules/beta-private-cluster-update-variant/firewall.tf @@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" { allow { protocol = "esp" } allow { protocol = "ah" } - depends_on = [ - google_container_cluster.primary, - ] } @@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" { ports = var.firewall_inbound_ports } - depends_on = [ - google_container_cluster.primary, - ] } diff --git a/modules/beta-private-cluster/firewall.tf b/modules/beta-private-cluster/firewall.tf index 0d0fa0718..a3eef6b58 100644 --- a/modules/beta-private-cluster/firewall.tf +++ b/modules/beta-private-cluster/firewall.tf @@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" { allow { protocol = "esp" } allow { protocol = "ah" } - depends_on = [ - google_container_cluster.primary, - ] } @@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" { ports = var.firewall_inbound_ports } - depends_on = [ - google_container_cluster.primary, - ] } diff --git a/modules/private-cluster-update-variant/firewall.tf b/modules/private-cluster-update-variant/firewall.tf index 0d0fa0718..a3eef6b58 100644 --- a/modules/private-cluster-update-variant/firewall.tf +++ b/modules/private-cluster-update-variant/firewall.tf @@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" { allow { protocol = "esp" } allow { protocol = "ah" } - depends_on = [ - google_container_cluster.primary, - ] } @@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" { ports = var.firewall_inbound_ports } - depends_on = [ - google_container_cluster.primary, - ] } diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index 0d0fa0718..a3eef6b58 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" { allow { protocol = "esp" } allow { protocol = "ah" } - depends_on = [ - google_container_cluster.primary, - ] } @@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" { ports = var.firewall_inbound_ports } - depends_on = [ - google_container_cluster.primary, - ] } diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index b0f48354b..3d9a16630 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -200,6 +200,7 @@ For simplicity, we suggest using `roles/container.admin` and | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| add\_cluster\_firewall\_rules | Create additional firewall rules | bool | `"false"` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `` | no | @@ -214,6 +215,8 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | +| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `` | no | +| firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no | | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"true"` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 7e04c8781..d259f1794 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -45,6 +45,10 @@ module "gke" { ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services + add_cluster_firewall_rules = var.add_cluster_firewall_rules + firewall_priority = var.firewall_priority + firewall_inbound_ports = var.firewall_inbound_ports + horizontal_pod_autoscaling = var.horizontal_pod_autoscaling http_load_balancing = var.http_load_balancing diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 5ba756531..8340f1d82 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -342,3 +342,21 @@ variable "gce_pd_csi_driver" { description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = true } + +variable "add_cluster_firewall_rules" { + type = bool + description = "Create additional firewall rules" + default = false +} + +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 +} + +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers" + default = ["8443", "9443", "15017"] +} diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index b0f48354b..3d9a16630 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -200,6 +200,7 @@ For simplicity, we suggest using `roles/container.admin` and | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| add\_cluster\_firewall\_rules | Create additional firewall rules | bool | `"false"` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `` | no | @@ -214,6 +215,8 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | +| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `` | no | +| firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no | | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"true"` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 4e89dc154..853919227 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -45,6 +45,10 @@ module "gke" { ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services + add_cluster_firewall_rules = var.add_cluster_firewall_rules + firewall_priority = var.firewall_priority + firewall_inbound_ports = var.firewall_inbound_ports + horizontal_pod_autoscaling = var.horizontal_pod_autoscaling http_load_balancing = var.http_load_balancing diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 5ba756531..8340f1d82 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -342,3 +342,21 @@ variable "gce_pd_csi_driver" { description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = true } + +variable "add_cluster_firewall_rules" { + type = bool + description = "Create additional firewall rules" + default = false +} + +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 +} + +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers" + default = ["8443", "9443", "15017"] +} diff --git a/test/integration/safer_cluster/controls/network.rb b/test/integration/safer_cluster/controls/network.rb new file mode 100644 index 000000000..8c5ef13fb --- /dev/null +++ b/test/integration/safer_cluster/controls/network.rb @@ -0,0 +1,25 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +project_id = attribute('project_id') +cluster_name = attribute('cluster_name') + +control "network" do + title "gcp network configuration" + describe google_compute_firewalls(project: project_id) do + its('firewall_names') { should include "gke-#{cluster_name[0,25]}-intra-cluster-egress" } + its('firewall_names') { should include "gke-#{cluster_name[0,25]}-webhooks" } + end + +end diff --git a/test/integration/safer_cluster/inspec.yml b/test/integration/safer_cluster/inspec.yml index b7174cb88..9598176a3 100644 --- a/test/integration/safer_cluster/inspec.yml +++ b/test/integration/safer_cluster/inspec.yml @@ -1,4 +1,8 @@ name: safer_cluster +depends: + - name: inspec-gcp + git: https://github.com/inspec/inspec-gcp.git + tag: v0.11.0 attributes: - name: project_id required: true