This repository has been archived by the owner on Feb 5, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 268
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
modules/aws: tighten security groups (#264)
* modules/aws: tighten security groups Currently masters and workers share a pretty open security group. Furthermore workers expose ingress traffic at critical k8s ports like 10250 and 10255. This fixes it by removing the common cluster default security group and specifying separate ingress/egress rules reflecting settings from the current tectonic installer. It also assigns only one security group for masters and workers. Fixes #248, #243, #227 * Documentation/generic-platform: change flannel port to 4789 ... because that one is configured and recommended since it is the IANA based one. Tools like tcpdump then decode vxlan packets natively. The old port (8472) is retained as the default port in the kernel for backwards compatibility purposes only, see [1]. Other projects also switched to the new IANA assigned port. [1] http://lxr.free-electrons.com/source/drivers/net/vxlan.c#L43
- Loading branch information
1 parent
9a72640
commit b620c16
Showing
18 changed files
with
528 additions
and
208 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
resource "aws_security_group" "api" { | ||
vpc_id = "${data.aws_vpc.cluster_vpc.id}" | ||
|
||
tags = "${merge(map( | ||
"Name", "${var.cluster_name}_api_sg", | ||
"KubernetesCluster", "${var.cluster_name}" | ||
), var.extra_tags)}" | ||
|
||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
self = true | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
ingress { | ||
protocol = "tcp" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
from_port = 443 | ||
to_port = 443 | ||
} | ||
} | ||
|
||
resource "aws_security_group" "console" { | ||
vpc_id = "${data.aws_vpc.cluster_vpc.id}" | ||
|
||
tags = "${merge(map( | ||
"Name", "${var.cluster_name}_console_sg", | ||
"KubernetesCluster", "${var.cluster_name}" | ||
), var.extra_tags)}" | ||
|
||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
self = true | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
ingress { | ||
protocol = "tcp" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
from_port = 80 | ||
to_port = 80 | ||
} | ||
|
||
ingress { | ||
protocol = "tcp" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
from_port = 443 | ||
to_port = 443 | ||
} | ||
} |
Oops, something went wrong.