[upcloud] Add firewall default deny policy and port allowlisting (#9058)
parent
ce04fdde72
commit
0d32c0d92b
|
@ -112,12 +112,26 @@ terraform destroy --var-file cluster-settings.tfvars \
|
||||||
* `size`: The size of the additional disk in GB
|
* `size`: The size of the additional disk in GB
|
||||||
* `tier`: The tier of disk to use (`maxiops` is the only one you can choose atm)
|
* `tier`: The tier of disk to use (`maxiops` is the only one you can choose atm)
|
||||||
* `firewall_enabled`: Enable firewall rules
|
* `firewall_enabled`: Enable firewall rules
|
||||||
|
* `firewall_default_deny_in`: Set the firewall to deny inbound traffic by default. Automatically adds UpCloud DNS server and NTP port allowlisting.
|
||||||
|
* `firewall_default_deny_out`: Set the firewall to deny outbound traffic by default.
|
||||||
* `master_allowed_remote_ips`: List of IP ranges that should be allowed to access API of masters
|
* `master_allowed_remote_ips`: List of IP ranges that should be allowed to access API of masters
|
||||||
* `start_address`: Start of address range to allow
|
* `start_address`: Start of address range to allow
|
||||||
* `end_address`: End of address range to allow
|
* `end_address`: End of address range to allow
|
||||||
* `k8s_allowed_remote_ips`: List of IP ranges that should be allowed SSH access to all nodes
|
* `k8s_allowed_remote_ips`: List of IP ranges that should be allowed SSH access to all nodes
|
||||||
* `start_address`: Start of address range to allow
|
* `start_address`: Start of address range to allow
|
||||||
* `end_address`: End of address range to allow
|
* `end_address`: End of address range to allow
|
||||||
|
* `master_allowed_ports`: List of port ranges that should be allowed to access the masters
|
||||||
|
* `protocol`: Protocol *(tcp|udp|icmp)*
|
||||||
|
* `port_range_min`: Start of port range to allow
|
||||||
|
* `port_range_max`: End of port range to allow
|
||||||
|
* `start_address`: Start of address range to allow
|
||||||
|
* `end_address`: End of address range to allow
|
||||||
|
* `worker_allowed_ports`: List of port ranges that should be allowed to access the workers
|
||||||
|
* `protocol`: Protocol *(tcp|udp|icmp)*
|
||||||
|
* `port_range_min`: Start of port range to allow
|
||||||
|
* `port_range_max`: End of port range to allow
|
||||||
|
* `start_address`: Start of address range to allow
|
||||||
|
* `end_address`: End of address range to allow
|
||||||
* `loadbalancer_enabled`: Enable managed load balancer
|
* `loadbalancer_enabled`: Enable managed load balancer
|
||||||
* `loadbalancer_plan`: Plan to use for load balancer *(development|production-small)*
|
* `loadbalancer_plan`: Plan to use for load balancer *(development|production-small)*
|
||||||
* `loadbalancers`: Ports to load balance and which machines to forward to. Key of this object will be used as the name of the load balancer frontends/backends
|
* `loadbalancers`: Ports to load balance and which machines to forward to. Key of this object will be used as the name of the load balancer frontends/backends
|
||||||
|
|
|
@ -95,7 +95,9 @@ machines = {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
firewall_enabled = false
|
firewall_enabled = false
|
||||||
|
firewall_default_deny_in = false
|
||||||
|
firewall_default_deny_out = false
|
||||||
|
|
||||||
master_allowed_remote_ips = [
|
master_allowed_remote_ips = [
|
||||||
{
|
{
|
||||||
|
@ -111,6 +113,9 @@ k8s_allowed_remote_ips = [
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
master_allowed_ports = []
|
||||||
|
worker_allowed_ports = []
|
||||||
|
|
||||||
loadbalancer_enabled = false
|
loadbalancer_enabled = false
|
||||||
loadbalancer_plan = "development"
|
loadbalancer_plan = "development"
|
||||||
loadbalancers = {
|
loadbalancers = {
|
||||||
|
|
|
@ -24,8 +24,12 @@ module "kubernetes" {
|
||||||
ssh_public_keys = var.ssh_public_keys
|
ssh_public_keys = var.ssh_public_keys
|
||||||
|
|
||||||
firewall_enabled = var.firewall_enabled
|
firewall_enabled = var.firewall_enabled
|
||||||
|
firewall_default_deny_in = var.firewall_default_deny_in
|
||||||
|
firewall_default_deny_out = var.firewall_default_deny_out
|
||||||
master_allowed_remote_ips = var.master_allowed_remote_ips
|
master_allowed_remote_ips = var.master_allowed_remote_ips
|
||||||
k8s_allowed_remote_ips = var.k8s_allowed_remote_ips
|
k8s_allowed_remote_ips = var.k8s_allowed_remote_ips
|
||||||
|
master_allowed_ports = var.master_allowed_ports
|
||||||
|
worker_allowed_ports = var.worker_allowed_ports
|
||||||
|
|
||||||
loadbalancer_enabled = var.loadbalancer_enabled
|
loadbalancer_enabled = var.loadbalancer_enabled
|
||||||
loadbalancer_plan = var.loadbalancer_plan
|
loadbalancer_plan = var.loadbalancer_plan
|
||||||
|
|
|
@ -228,6 +228,112 @@ resource "upcloud_firewall_rules" "master" {
|
||||||
source_address_start = "0.0.0.0"
|
source_address_start = "0.0.0.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.master_allowed_ports
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "Allow access on this port"
|
||||||
|
destination_port_end = firewall_rule.value.port_range_max
|
||||||
|
destination_port_start = firewall_rule.value.port_range_min
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv4"
|
||||||
|
protocol = firewall_rule.value.protocol
|
||||||
|
source_address_end = firewall_rule.value.end_address
|
||||||
|
source_address_start = firewall_rule.value.start_address
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "UpCloud DNS"
|
||||||
|
destination_port_end = "53"
|
||||||
|
destination_port_start = "53"
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv4"
|
||||||
|
protocol = firewall_rule.value
|
||||||
|
source_address_end = "94.237.40.9"
|
||||||
|
source_address_start = "94.237.40.9"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "UpCloud DNS"
|
||||||
|
destination_port_end = "53"
|
||||||
|
destination_port_start = "53"
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv4"
|
||||||
|
protocol = firewall_rule.value
|
||||||
|
source_address_end = "94.237.127.9"
|
||||||
|
source_address_start = "94.237.127.9"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "UpCloud DNS"
|
||||||
|
destination_port_end = "53"
|
||||||
|
destination_port_start = "53"
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv6"
|
||||||
|
protocol = firewall_rule.value
|
||||||
|
source_address_end = "2a04:3540:53::1"
|
||||||
|
source_address_start = "2a04:3540:53::1"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "UpCloud DNS"
|
||||||
|
destination_port_end = "53"
|
||||||
|
destination_port_start = "53"
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv6"
|
||||||
|
protocol = firewall_rule.value
|
||||||
|
source_address_end = "2a04:3544:53::1"
|
||||||
|
source_address_start = "2a04:3544:53::1"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.firewall_default_deny_in ? ["udp"] : []
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "NTP Port"
|
||||||
|
destination_port_end = "123"
|
||||||
|
destination_port_start = "123"
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv4"
|
||||||
|
protocol = firewall_rule.value
|
||||||
|
source_address_end = "255.255.255.255"
|
||||||
|
source_address_start = "0.0.0.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
firewall_rule {
|
||||||
|
action = var.firewall_default_deny_in ? "drop" : "accept"
|
||||||
|
direction = "in"
|
||||||
|
}
|
||||||
|
|
||||||
|
firewall_rule {
|
||||||
|
action = var.firewall_default_deny_out ? "drop" : "accept"
|
||||||
|
direction = "out"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "upcloud_firewall_rules" "k8s" {
|
resource "upcloud_firewall_rules" "k8s" {
|
||||||
|
@ -265,6 +371,112 @@ resource "upcloud_firewall_rules" "k8s" {
|
||||||
source_address_start = "0.0.0.0"
|
source_address_start = "0.0.0.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.worker_allowed_ports
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "Allow access on this port"
|
||||||
|
destination_port_end = firewall_rule.value.port_range_max
|
||||||
|
destination_port_start = firewall_rule.value.port_range_min
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv4"
|
||||||
|
protocol = firewall_rule.value.protocol
|
||||||
|
source_address_end = firewall_rule.value.end_address
|
||||||
|
source_address_start = firewall_rule.value.start_address
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "UpCloud DNS"
|
||||||
|
destination_port_end = "53"
|
||||||
|
destination_port_start = "53"
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv4"
|
||||||
|
protocol = firewall_rule.value
|
||||||
|
source_address_end = "94.237.40.9"
|
||||||
|
source_address_start = "94.237.40.9"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "UpCloud DNS"
|
||||||
|
destination_port_end = "53"
|
||||||
|
destination_port_start = "53"
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv4"
|
||||||
|
protocol = firewall_rule.value
|
||||||
|
source_address_end = "94.237.127.9"
|
||||||
|
source_address_start = "94.237.127.9"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "UpCloud DNS"
|
||||||
|
destination_port_end = "53"
|
||||||
|
destination_port_start = "53"
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv6"
|
||||||
|
protocol = firewall_rule.value
|
||||||
|
source_address_end = "2a04:3540:53::1"
|
||||||
|
source_address_start = "2a04:3540:53::1"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.firewall_default_deny_in ? ["tcp", "udp"] : []
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "UpCloud DNS"
|
||||||
|
destination_port_end = "53"
|
||||||
|
destination_port_start = "53"
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv6"
|
||||||
|
protocol = firewall_rule.value
|
||||||
|
source_address_end = "2a04:3544:53::1"
|
||||||
|
source_address_start = "2a04:3544:53::1"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic firewall_rule {
|
||||||
|
for_each = var.firewall_default_deny_in ? ["udp"] : []
|
||||||
|
|
||||||
|
content {
|
||||||
|
action = "accept"
|
||||||
|
comment = "NTP Port"
|
||||||
|
destination_port_end = "123"
|
||||||
|
destination_port_start = "123"
|
||||||
|
direction = "in"
|
||||||
|
family = "IPv4"
|
||||||
|
protocol = firewall_rule.value
|
||||||
|
source_address_end = "255.255.255.255"
|
||||||
|
source_address_start = "0.0.0.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
firewall_rule {
|
||||||
|
action = var.firewall_default_deny_in ? "drop" : "accept"
|
||||||
|
direction = "in"
|
||||||
|
}
|
||||||
|
|
||||||
|
firewall_rule {
|
||||||
|
action = var.firewall_default_deny_out ? "drop" : "accept"
|
||||||
|
direction = "out"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "upcloud_loadbalancer" "lb" {
|
resource "upcloud_loadbalancer" "lb" {
|
||||||
|
|
|
@ -49,6 +49,34 @@ variable "k8s_allowed_remote_ips" {
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "master_allowed_ports" {
|
||||||
|
type = list(object({
|
||||||
|
protocol = string
|
||||||
|
port_range_min = number
|
||||||
|
port_range_max = number
|
||||||
|
start_address = string
|
||||||
|
end_address = string
|
||||||
|
}))
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "worker_allowed_ports" {
|
||||||
|
type = list(object({
|
||||||
|
protocol = string
|
||||||
|
port_range_min = number
|
||||||
|
port_range_max = number
|
||||||
|
start_address = string
|
||||||
|
end_address = string
|
||||||
|
}))
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "firewall_default_deny_in" {
|
||||||
|
type = bool
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "firewall_default_deny_out" {
|
||||||
|
type = bool
|
||||||
|
}
|
||||||
|
|
||||||
variable "loadbalancer_enabled" {
|
variable "loadbalancer_enabled" {
|
||||||
type = bool
|
type = bool
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,7 +3,7 @@ terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
upcloud = {
|
upcloud = {
|
||||||
source = "UpCloudLtd/upcloud"
|
source = "UpCloudLtd/upcloud"
|
||||||
version = "~>2.4.0"
|
version = "~>2.5.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
required_version = ">= 0.13"
|
required_version = ">= 0.13"
|
||||||
|
|
|
@ -95,7 +95,10 @@ machines = {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
firewall_enabled = false
|
firewall_enabled = false
|
||||||
|
firewall_default_deny_in = false
|
||||||
|
firewall_default_deny_out = false
|
||||||
|
|
||||||
|
|
||||||
master_allowed_remote_ips = [
|
master_allowed_remote_ips = [
|
||||||
{
|
{
|
||||||
|
@ -111,6 +114,9 @@ k8s_allowed_remote_ips = [
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
master_allowed_ports = []
|
||||||
|
worker_allowed_ports = []
|
||||||
|
|
||||||
loadbalancer_enabled = false
|
loadbalancer_enabled = false
|
||||||
loadbalancer_plan = "development"
|
loadbalancer_plan = "development"
|
||||||
loadbalancers = {
|
loadbalancers = {
|
||||||
|
|
|
@ -79,6 +79,38 @@ variable "k8s_allowed_remote_ips" {
|
||||||
default = []
|
default = []
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "master_allowed_ports" {
|
||||||
|
description = "List of ports to allow on masters"
|
||||||
|
type = list(object({
|
||||||
|
protocol = string
|
||||||
|
port_range_min = number
|
||||||
|
port_range_max = number
|
||||||
|
start_address = string
|
||||||
|
end_address = string
|
||||||
|
}))
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "worker_allowed_ports" {
|
||||||
|
description = "List of ports to allow on workers"
|
||||||
|
type = list(object({
|
||||||
|
protocol = string
|
||||||
|
port_range_min = number
|
||||||
|
port_range_max = number
|
||||||
|
start_address = string
|
||||||
|
end_address = string
|
||||||
|
}))
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "firewall_default_deny_in" {
|
||||||
|
description = "Add firewall policies that deny all inbound traffic by default"
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "firewall_default_deny_out" {
|
||||||
|
description = "Add firewall policies that deny all outbound traffic by default"
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
||||||
variable "loadbalancer_enabled" {
|
variable "loadbalancer_enabled" {
|
||||||
description = "Enable load balancer"
|
description = "Enable load balancer"
|
||||||
default = false
|
default = false
|
||||||
|
|
|
@ -3,7 +3,7 @@ terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
upcloud = {
|
upcloud = {
|
||||||
source = "UpCloudLtd/upcloud"
|
source = "UpCloudLtd/upcloud"
|
||||||
version = "~>2.4.0"
|
version = "~>2.5.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
required_version = ">= 0.13"
|
required_version = ">= 0.13"
|
||||||
|
|
Loading…
Reference in New Issue