forked from coreos/tectonic-installer
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
modules/aws: tighten security groups
Currently masters and workers share a pretty open security group. Furthermore workers expose ingress traffic at critical k8s ports like 10250 and 10255. This fixes it by removing the common cluster default security group and specifying separate ingress/egress rules reflecting settings from the current tectonic installer. It also assigns only one security group for masters and workers. Fixes coreos#248, coreos#243, coreos#227
- Loading branch information
Sergiusz Urbaniak
committed
Apr 19, 2017
1 parent
73ff290
commit 43d0c35
Showing
17 changed files
with
526 additions
and
206 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
resource "aws_security_group" "api" { | ||
vpc_id = "${data.aws_vpc.cluster_vpc.id}" | ||
|
||
tags = "${merge(map( | ||
"Name", "${var.cluster_name}_api_sg", | ||
"KubernetesCluster", "${var.cluster_name}" | ||
), var.extra_tags)}" | ||
|
||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
self = true | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
ingress { | ||
protocol = "tcp" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
from_port = 443 | ||
to_port = 443 | ||
} | ||
} | ||
|
||
resource "aws_security_group" "console" { | ||
vpc_id = "${data.aws_vpc.cluster_vpc.id}" | ||
|
||
tags = "${merge(map( | ||
"Name", "${var.cluster_name}_console_sg", | ||
"KubernetesCluster", "${var.cluster_name}" | ||
), var.extra_tags)}" | ||
|
||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
self = true | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
ingress { | ||
protocol = "tcp" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
from_port = 80 | ||
to_port = 80 | ||
} | ||
|
||
ingress { | ||
protocol = "tcp" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
from_port = 443 | ||
to_port = 443 | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
resource "aws_security_group" "etcd" { | ||
count = "${var.enable_etcd_sg}" | ||
vpc_id = "${data.aws_vpc.cluster_vpc.id}" | ||
|
||
tags = "${merge(map( | ||
"Name", "${var.cluster_name}_etcd_sg", | ||
"KubernetesCluster", "${var.cluster_name}" | ||
), var.extra_tags)}" | ||
|
||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
self = true | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
ingress { | ||
protocol = "icmp" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
from_port = 0 | ||
to_port = 0 | ||
} | ||
|
||
ingress { | ||
protocol = "tcp" | ||
from_port = 22 | ||
to_port = 22 | ||
self = true | ||
|
||
security_groups = ["${aws_security_group.master.id}"] | ||
} | ||
|
||
ingress { | ||
protocol = "tcp" | ||
from_port = 2379 | ||
to_port = 2379 | ||
self = true | ||
|
||
security_groups = [ | ||
"${aws_security_group.master.id}", | ||
"${aws_security_group.worker.id}", | ||
] | ||
} | ||
|
||
ingress { | ||
protocol = "tcp" | ||
from_port = 2380 | ||
to_port = 2380 | ||
self = true | ||
} | ||
} |
Oops, something went wrong.