Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add all pod_ranges to cluster firewall rules and add missing shadow rules #1480

Merged
merged 9 commits into from
Dec 30, 2022
Merged

feat: add all pod_ranges to cluster firewall rules and add missing shadow rules #1480

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2066875
add all pod_ranges to cluster firewall rules and add missing shadow r…
splichy Nov 28, 2022
37bfd15
autogen
splichy Nov 28, 2022
2a895c1
Merge branch 'master' into feat/firewall_disco_pod_ranges
splichy Nov 30, 2022
135f972
MERGE master
splichy Dec 13, 2022
3316c64
Merge remote-tracking branch 'upstream/master' into feat/firewall_dis…
splichy Dec 14, 2022
666a991
update docs
splichy Dec 14, 2022
1b5ebba
add shadow_firewall_rules_log_config and shadow_firewall_rules_priori…
splichy Dec 14, 2022
28fab3d
autogen
splichy Dec 14, 2022
3e02890
Merge branch 'master' into feat/firewall_disco_pod_ranges
bharathkkb Dec 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
56 changes: 52 additions & 4 deletions autogen/main/firewall.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,12 @@ resource "google_compute_firewall" "intra_egress" {
direction = "EGRESS"

target_tags = [local.cluster_network_tag]
destination_ranges = [
destination_ranges = concat([
local.cluster_endpoint_for_nodes,
local.cluster_subnet_cidr,
local.cluster_alias_ranges_cidr[var.ip_range_pods],
]
],
local.pod_all_ip_ranges
)

# Allow all possible protocols
allow { protocol = "tcp" }
Expand Down Expand Up @@ -143,7 +144,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
priority = var.shadow_firewall_rules_priority
direction = "INGRESS"

source_ranges = [local.cluster_alias_ranges_cidr[var.ip_range_pods]]
source_ranges = local.pod_all_ip_ranges
target_tags = [local.cluster_network_tag]

# Allow all possible protocols
Expand Down Expand Up @@ -213,3 +214,50 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
metadata = "INCLUDE_ALL_METADATA"
}
}

resource "google_compute_firewall" "shadow_allow_inkubelet" {
count = var.add_shadow_firewall_rules ? 1 : 0

name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet"
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
direction = "INGRESS"

source_ranges = local.pod_all_ip_ranges
source_tags = [local.cluster_network_tag]
target_tags = [local.cluster_network_tag]

allow {
protocol = "tcp"
ports = ["10255"]
}

log_config {
metadata = "INCLUDE_ALL_METADATA"
}
}

resource "google_compute_firewall" "shadow_deny_exkubelet" {
count = var.add_shadow_firewall_rules ? 1 : 0

name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet"
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
direction = "INGRESS"

source_ranges = ["0.0.0.0/0"]
target_tags = [local.cluster_network_tag]

deny {
protocol = "tcp"
ports = ["10255"]
}

log_config {
metadata = "INCLUDE_ALL_METADATA"
}
}
5 changes: 5 additions & 0 deletions autogen/main/main.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,11 @@ locals {

cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
{% if autopilot_cluster != true %}
pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools): local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0] )) : []
{% else %}
pod_all_ip_ranges = var.add_cluster_firewall_rules ? [local.cluster_alias_ranges_cidr[var.ip_range_pods]] : []
{% endif %}

{% if autopilot_cluster != true %}
cluster_network_policy = var.network_policy ? [{
Expand Down
56 changes: 52 additions & 4 deletions firewall.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,12 @@ resource "google_compute_firewall" "intra_egress" {
direction = "EGRESS"

target_tags = [local.cluster_network_tag]
destination_ranges = [
destination_ranges = concat([
local.cluster_endpoint_for_nodes,
local.cluster_subnet_cidr,
local.cluster_alias_ranges_cidr[var.ip_range_pods],
]
],
local.pod_all_ip_ranges
)

# Allow all possible protocols
allow { protocol = "tcp" }
Expand Down Expand Up @@ -99,7 +100,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
priority = var.shadow_firewall_rules_priority
direction = "INGRESS"

source_ranges = [local.cluster_alias_ranges_cidr[var.ip_range_pods]]
source_ranges = local.pod_all_ip_ranges
target_tags = [local.cluster_network_tag]

# Allow all possible protocols
Expand Down Expand Up @@ -169,3 +170,50 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
metadata = "INCLUDE_ALL_METADATA"
}
}

resource "google_compute_firewall" "shadow_allow_inkubelet" {
count = var.add_shadow_firewall_rules ? 1 : 0

name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet"
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
direction = "INGRESS"

source_ranges = local.pod_all_ip_ranges
source_tags = [local.cluster_network_tag]
target_tags = [local.cluster_network_tag]

allow {
protocol = "tcp"
ports = ["10255"]
}

log_config {
metadata = "INCLUDE_ALL_METADATA"
}
}

resource "google_compute_firewall" "shadow_deny_exkubelet" {
count = var.add_shadow_firewall_rules ? 1 : 0

name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet"
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
direction = "INGRESS"

source_ranges = ["0.0.0.0/0"]
target_tags = [local.cluster_network_tag]

deny {
protocol = "tcp"
ports = ["10255"]
}

log_config {
metadata = "INCLUDE_ALL_METADATA"
}
}
1 change: 1 addition & 0 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ locals {

cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : []

cluster_network_policy = var.network_policy ? [{
enabled = true
Expand Down
56 changes: 52 additions & 4 deletions modules/beta-autopilot-private-cluster/firewall.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,12 @@ resource "google_compute_firewall" "intra_egress" {
direction = "EGRESS"

target_tags = [local.cluster_network_tag]
destination_ranges = [
destination_ranges = concat([
local.cluster_endpoint_for_nodes,
local.cluster_subnet_cidr,
local.cluster_alias_ranges_cidr[var.ip_range_pods],
]
],
local.pod_all_ip_ranges
)

# Allow all possible protocols
allow { protocol = "tcp" }
Expand Down Expand Up @@ -126,7 +127,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
priority = var.shadow_firewall_rules_priority
direction = "INGRESS"

source_ranges = [local.cluster_alias_ranges_cidr[var.ip_range_pods]]
source_ranges = local.pod_all_ip_ranges
target_tags = [local.cluster_network_tag]

# Allow all possible protocols
Expand Down Expand Up @@ -196,3 +197,50 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
metadata = "INCLUDE_ALL_METADATA"
}
}

resource "google_compute_firewall" "shadow_allow_inkubelet" {
count = var.add_shadow_firewall_rules ? 1 : 0

name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet"
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
direction = "INGRESS"

source_ranges = local.pod_all_ip_ranges
source_tags = [local.cluster_network_tag]
target_tags = [local.cluster_network_tag]

allow {
protocol = "tcp"
ports = ["10255"]
}

log_config {
metadata = "INCLUDE_ALL_METADATA"
}
}

resource "google_compute_firewall" "shadow_deny_exkubelet" {
count = var.add_shadow_firewall_rules ? 1 : 0

name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet"
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
direction = "INGRESS"

source_ranges = ["0.0.0.0/0"]
target_tags = [local.cluster_network_tag]

deny {
protocol = "tcp"
ports = ["10255"]
}

log_config {
metadata = "INCLUDE_ALL_METADATA"
}
}
1 change: 1 addition & 0 deletions modules/beta-autopilot-private-cluster/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ locals {

cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
pod_all_ip_ranges = var.add_cluster_firewall_rules ? [local.cluster_alias_ranges_cidr[var.ip_range_pods]] : []


cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
Expand Down
56 changes: 52 additions & 4 deletions modules/beta-autopilot-public-cluster/firewall.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,12 @@ resource "google_compute_firewall" "intra_egress" {
direction = "EGRESS"

target_tags = [local.cluster_network_tag]
destination_ranges = [
destination_ranges = concat([
local.cluster_endpoint_for_nodes,
local.cluster_subnet_cidr,
local.cluster_alias_ranges_cidr[var.ip_range_pods],
]
],
local.pod_all_ip_ranges
)

# Allow all possible protocols
allow { protocol = "tcp" }
Expand Down Expand Up @@ -135,7 +136,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
priority = var.shadow_firewall_rules_priority
direction = "INGRESS"

source_ranges = [local.cluster_alias_ranges_cidr[var.ip_range_pods]]
source_ranges = local.pod_all_ip_ranges
target_tags = [local.cluster_network_tag]

# Allow all possible protocols
Expand Down Expand Up @@ -205,3 +206,50 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
metadata = "INCLUDE_ALL_METADATA"
}
}

resource "google_compute_firewall" "shadow_allow_inkubelet" {
count = var.add_shadow_firewall_rules ? 1 : 0

name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet"
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
direction = "INGRESS"

source_ranges = local.pod_all_ip_ranges
source_tags = [local.cluster_network_tag]
target_tags = [local.cluster_network_tag]

allow {
protocol = "tcp"
ports = ["10255"]
}

log_config {
metadata = "INCLUDE_ALL_METADATA"
}
}

resource "google_compute_firewall" "shadow_deny_exkubelet" {
count = var.add_shadow_firewall_rules ? 1 : 0

name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet"
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
direction = "INGRESS"

source_ranges = ["0.0.0.0/0"]
target_tags = [local.cluster_network_tag]

deny {
protocol = "tcp"
ports = ["10255"]
}

log_config {
metadata = "INCLUDE_ALL_METADATA"
}
}
1 change: 1 addition & 0 deletions modules/beta-autopilot-public-cluster/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ locals {

cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
pod_all_ip_ranges = var.add_cluster_firewall_rules ? [local.cluster_alias_ranges_cidr[var.ip_range_pods]] : []


cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
Expand Down