From 1cf76a10db24231371caceb427338e51ed87f5ef Mon Sep 17 00:00:00 2001 From: Maxime Guyot Date: Wed, 17 Apr 2019 11:10:03 +0200 Subject: [PATCH] Disable usage of default security group (#4533) --- contrib/terraform/openstack/kubespray.tf | 1 + .../openstack/modules/compute/main.tf | 40 ++++++++++--------- .../openstack/modules/compute/variables.tf | 4 ++ contrib/terraform/openstack/variables.tf | 6 +++ 4 files changed, 33 insertions(+), 18 deletions(-) diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf index 93693e3cb..ac10c4f26 100644 --- a/contrib/terraform/openstack/kubespray.tf +++ b/contrib/terraform/openstack/kubespray.tf @@ -53,6 +53,7 @@ module "compute" { bastion_fips = "${module.ips.bastion_fips}" bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}" k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}" + k8s_allowed_egress_ips = "${var.k8s_allowed_egress_ips}" supplementary_master_groups = "${var.supplementary_master_groups}" supplementary_node_groups = "${var.supplementary_node_groups}" worker_allowed_ports = "${var.worker_allowed_ports}" diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf index fa2d76c5a..4bfb0c23c 100644 --- a/contrib/terraform/openstack/modules/compute/main.tf +++ b/contrib/terraform/openstack/modules/compute/main.tf @@ -4,8 +4,9 @@ resource "openstack_compute_keypair_v2" "k8s" { } resource "openstack_networking_secgroup_v2" "k8s_master" { - name = "${var.cluster_name}-k8s-master" - description = "${var.cluster_name} - Kubernetes Master" + name = "${var.cluster_name}-k8s-master" + description = "${var.cluster_name} - Kubernetes Master" + delete_default_rules = true } resource "openstack_networking_secgroup_rule_v2" "k8s_master" { @@ -19,9 +20,10 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master" { } resource "openstack_networking_secgroup_v2" "bastion" { - name = "${var.cluster_name}-bastion" - count = "${var.number_of_bastions ? 1 : 0}" - description = "${var.cluster_name} - Bastion Server" + name = "${var.cluster_name}-bastion" + count = "${var.number_of_bastions ? 1 : 0}" + description = "${var.cluster_name} - Bastion Server" + delete_default_rules = true } resource "openstack_networking_secgroup_rule_v2" "bastion" { @@ -36,8 +38,9 @@ resource "openstack_networking_secgroup_rule_v2" "bastion" { } resource "openstack_networking_secgroup_v2" "k8s" { - name = "${var.cluster_name}-k8s" - description = "${var.cluster_name} - Kubernetes" + name = "${var.cluster_name}-k8s" + description = "${var.cluster_name} - Kubernetes" + delete_default_rules = true } resource "openstack_networking_secgroup_rule_v2" "k8s" { @@ -58,9 +61,18 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" { security_group_id = "${openstack_networking_secgroup_v2.k8s.id}" } +resource "openstack_networking_secgroup_rule_v2" "egress" { + count = "${length(var.k8s_allowed_egress_ips)}" + direction = "egress" + ethertype = "IPv4" + remote_ip_prefix = "${var.k8s_allowed_egress_ips[count.index]}" + security_group_id = "${openstack_networking_secgroup_v2.k8s.id}" +} + resource "openstack_networking_secgroup_v2" "worker" { - name = "${var.cluster_name}-k8s-worker" - description = "${var.cluster_name} - Kubernetes worker nodes" + name = "${var.cluster_name}-k8s-worker" + description = "${var.cluster_name} - Kubernetes worker nodes" + delete_default_rules = true } resource "openstack_networking_secgroup_rule_v2" "worker" { @@ -87,7 +99,6 @@ resource "openstack_compute_instance_v2" "bastion" { security_groups = ["${openstack_networking_secgroup_v2.k8s.name}", "${openstack_networking_secgroup_v2.bastion.name}", - "default", ] metadata = { @@ -115,7 +126,6 @@ resource "openstack_compute_instance_v2" "k8s_master" { security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}", "${openstack_networking_secgroup_v2.k8s.name}", - "default", ] metadata = { @@ -143,7 +153,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" { security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}", "${openstack_networking_secgroup_v2.k8s.name}", - "default", ] metadata = { @@ -192,7 +201,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" { security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}", "${openstack_networking_secgroup_v2.k8s.name}", - "default", ] metadata = { @@ -239,7 +247,6 @@ resource "openstack_compute_instance_v2" "k8s_node" { security_groups = ["${openstack_networking_secgroup_v2.k8s.name}", "${openstack_networking_secgroup_v2.worker.name}", - "default", ] metadata = { @@ -267,7 +274,6 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" { security_groups = ["${openstack_networking_secgroup_v2.k8s.name}", "${openstack_networking_secgroup_v2.worker.name}", - "default", ] metadata = { @@ -314,9 +320,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" { name = "${var.network_name}" } - security_groups = ["${openstack_networking_secgroup_v2.k8s.name}", - "default", - ] + security_groups = ["${openstack_networking_secgroup_v2.k8s.name}"] metadata = { ssh_user = "${var.ssh_user_gfs}" diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf index 75b5e5e6d..73d657e6d 100644 --- a/contrib/terraform/openstack/modules/compute/variables.tf +++ b/contrib/terraform/openstack/modules/compute/variables.tf @@ -70,6 +70,10 @@ variable "k8s_allowed_remote_ips" { type = "list" } +variable "k8s_allowed_egress_ips" { + type = "list" +} + variable "supplementary_master_groups" { default = "" } diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf index 8d53b9b44..911755d9e 100644 --- a/contrib/terraform/openstack/variables.tf +++ b/contrib/terraform/openstack/variables.tf @@ -151,6 +151,12 @@ variable "k8s_allowed_remote_ips" { default = [] } +variable "k8s_allowed_egress_ips" { + description = "An array of CIDRs allowed for egress traffic" + type = "list" + default = ["0.0.0.0/0"] +} + variable "worker_allowed_ports" { type = "list"