Removing unused/deprecated security groups and ports. Updated AWS use…

…r doc. Summary: - Console security group unused, replaced along the way by Router ELB - API security group unused, no longer in use after switch to NLB - Ports 80/443 not required, console using service port and Router ELB - Master port 22623 only targeted from inside the VPC - API server only on 6443 (6444 & 6445 carryover from Tectonic) - SSH port only targeted from inside the VPC with move to private - Heapster (Port 4194) no longer used - Master port 10255 (insecure) deprecated and removed in OpenShift - Renamed 10250 to secure, because it is the secure kubelet port
wking · Feb 24, 2019 · 6c10827 · 6c10827
1 parent c09f146
commit 6c10827
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 221 deletions.
diff --git a/data/data/aws/vpc/outputs.tf b/data/data/aws/vpc/outputs.tf
@@ -18,14 +18,6 @@ output "worker_sg_id" {
   value = "${aws_security_group.worker.id}"
 }
 
-output "api_sg_id" {
-  value = "${aws_security_group.api.id}"
-}
-
-output "console_sg_id" {
-  value = "${aws_security_group.console.id}"
-}
-
 output "aws_lb_target_group_arns" {
   value = "${compact(concat(aws_lb_target_group.api_internal.*.arn, aws_lb_target_group.services.*.arn, aws_lb_target_group.api_external.*.arn))}"
 }

diff --git a/data/data/aws/vpc/sg-elb.tf b/data/data/aws/vpc/sg-elb.tf
diff --git a/data/data/aws/vpc/sg-master.tf b/data/data/aws/vpc/sg-master.tf
@@ -11,7 +11,7 @@ resource "aws_security_group_rule" "master_mcs" {
   security_group_id = "${aws_security_group.master.id}"
 
   protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
   from_port   = 22623
   to_port     = 22623
 }
@@ -41,49 +41,19 @@ resource "aws_security_group_rule" "master_ingress_ssh" {
   security_group_id = "${aws_security_group.master.id}"
 
   protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
   from_port   = 22
   to_port     = 22
 }
 
-resource "aws_security_group_rule" "master_ingress_http" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.master.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
-  from_port   = 80
-  to_port     = 80
-}
-
 resource "aws_security_group_rule" "master_ingress_https" {
   type              = "ingress"
   security_group_id = "${aws_security_group.master.id}"
 
   protocol    = "tcp"
   cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
   from_port   = 6443
-  to_port     = 6445
-}
-
-resource "aws_security_group_rule" "master_ingress_heapster" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.master.id}"
-
-  protocol  = "tcp"
-  from_port = 4194
-  to_port   = 4194
-  self      = true
-}
-
-resource "aws_security_group_rule" "master_ingress_heapster_from_worker" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.master.id}"
-  source_security_group_id = "${aws_security_group.worker.id}"
-
-  protocol  = "tcp"
-  from_port = 4194
-  to_port   = 4194
+  to_port     = 6443
 }
 
 resource "aws_security_group_rule" "master_ingress_vxlan" {
@@ -166,7 +136,7 @@ resource "aws_security_group_rule" "master_ingress_kube_controller_manager_from_
   to_port   = 10252
 }
 
-resource "aws_security_group_rule" "master_ingress_kubelet_insecure" {
+resource "aws_security_group_rule" "master_ingress_kubelet_secure" {
   type              = "ingress"
   security_group_id = "${aws_security_group.master.id}"
 
@@ -176,7 +146,7 @@ resource "aws_security_group_rule" "master_ingress_kubelet_insecure" {
   self      = true
 }
 
-resource "aws_security_group_rule" "master_ingress_kubelet_insecure_from_worker" {
+resource "aws_security_group_rule" "master_ingress_kubelet_secure_from_worker" {
   type                     = "ingress"
   security_group_id        = "${aws_security_group.master.id}"
   source_security_group_id = "${aws_security_group.worker.id}"
@@ -186,26 +156,6 @@ resource "aws_security_group_rule" "master_ingress_kubelet_insecure_from_worker"
   to_port   = 10250
 }
 
-resource "aws_security_group_rule" "master_ingress_kubelet_secure" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.master.id}"
-
-  protocol  = "tcp"
-  from_port = 10255
-  to_port   = 10255
-  self      = true
-}
-
-resource "aws_security_group_rule" "master_ingress_kubelet_secure_from_worker" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.master.id}"
-  source_security_group_id = "${aws_security_group.worker.id}"
-
-  protocol  = "tcp"
-  from_port = 10255
-  to_port   = 10255
-}
-
 resource "aws_security_group_rule" "master_ingress_etcd" {
   type              = "ingress"
   security_group_id = "${aws_security_group.master.id}"
@@ -235,13 +185,3 @@ resource "aws_security_group_rule" "master_ingress_services" {
   to_port   = 32767
   self      = true
 }
-
-resource "aws_security_group_rule" "master_ingress_services_from_console" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.master.id}"
-  source_security_group_id = "${aws_security_group.console.id}"
-
-  protocol  = "tcp"
-  from_port = 30000
-  to_port   = 32767
-}
diff --git a/data/data/aws/vpc/sg-worker.tf b/data/data/aws/vpc/sg-worker.tf
@@ -31,51 +31,11 @@ resource "aws_security_group_rule" "worker_ingress_ssh" {
   security_group_id = "${aws_security_group.worker.id}"
 
   protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
   from_port   = 22
   to_port     = 22
 }
 
-resource "aws_security_group_rule" "worker_ingress_http" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.worker.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 80
-  to_port     = 80
-}
-
-resource "aws_security_group_rule" "worker_ingress_https" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.worker.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 443
-  to_port     = 443
-}
-
-resource "aws_security_group_rule" "worker_ingress_heapster" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.worker.id}"
-
-  protocol  = "tcp"
-  from_port = 4194
-  to_port   = 4194
-  self      = true
-}
-
-resource "aws_security_group_rule" "worker_ingress_heapster_from_master" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.worker.id}"
-  source_security_group_id = "${aws_security_group.master.id}"
-
-  protocol  = "tcp"
-  from_port = 4194
-  to_port   = 4194
-}
-
 resource "aws_security_group_rule" "worker_ingress_vxlan" {
   type              = "ingress"
   security_group_id = "${aws_security_group.worker.id}"
@@ -136,26 +96,6 @@ resource "aws_security_group_rule" "worker_ingress_kubelet_insecure_from_master"
   to_port   = 10250
 }
 
-resource "aws_security_group_rule" "worker_ingress_kubelet_secure" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.worker.id}"
-
-  protocol  = "tcp"
-  from_port = 10255
-  to_port   = 10255
-  self      = true
-}
-
-resource "aws_security_group_rule" "worker_ingress_kubelet_secure_from_master" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.worker.id}"
-  source_security_group_id = "${aws_security_group.master.id}"
-
-  protocol  = "tcp"
-  from_port = 10255
-  to_port   = 10255
-}
-
 resource "aws_security_group_rule" "worker_ingress_services" {
   type              = "ingress"
   security_group_id = "${aws_security_group.worker.id}"
@@ -165,13 +105,3 @@ resource "aws_security_group_rule" "worker_ingress_services" {
   to_port   = 32767
   self      = true
 }
-
-resource "aws_security_group_rule" "worker_ingress_services_from_console" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.worker.id}"
-  source_security_group_id = "${aws_security_group.console.id}"
-
-  protocol  = "tcp"
-  from_port = 30000
-  to_port   = 32767
-}
diff --git a/docs/user/aws/limits.md b/docs/user/aws/limits.md
@@ -53,8 +53,13 @@ the new VPC. If you intend to create more than 20 clusters, you will need to req
 
 ## Security Groups
 
-Each cluster creates 10 distinct security groups. The default limit of 2,500 for new accounts allows for many clusters
-to be created.
+Each cluster creates 4 distinct security groups. The default limit of 2,500 for new accounts allows for many clusters
+to be created. The three security groups created by the default install are:
+
+  1. VPC default
+  1. Master
+  1. Worker
+  1. Router/Ingress
 
 ## Instance Limits