terraform/gcp: Add ingress_whitelist (#8590)
Also, do not create unneeded resources (target pools are charged and should only be created when needed).
This commit is contained in:
parent
bf7a506f79
commit
299a9ae7ba
7 changed files with 46 additions and 9 deletions
|
@ -74,6 +74,7 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
|
||||||
* `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes
|
* `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes
|
||||||
* `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
|
* `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
|
||||||
* `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
|
* `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
|
||||||
|
* `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443
|
||||||
|
|
||||||
### Optional
|
### Optional
|
||||||
|
|
||||||
|
|
|
@ -33,4 +33,5 @@ module "kubernetes" {
|
||||||
ssh_whitelist = var.ssh_whitelist
|
ssh_whitelist = var.ssh_whitelist
|
||||||
api_server_whitelist = var.api_server_whitelist
|
api_server_whitelist = var.api_server_whitelist
|
||||||
nodeport_whitelist = var.nodeport_whitelist
|
nodeport_whitelist = var.nodeport_whitelist
|
||||||
|
ingress_whitelist = var.ingress_whitelist
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,6 +43,8 @@ resource "google_compute_firewall" "allow_internal" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_firewall" "ssh" {
|
resource "google_compute_firewall" "ssh" {
|
||||||
|
count = length(var.ssh_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-ssh-firewall"
|
name = "${var.prefix}-ssh-firewall"
|
||||||
network = google_compute_network.main.name
|
network = google_compute_network.main.name
|
||||||
|
|
||||||
|
@ -57,6 +59,8 @@ resource "google_compute_firewall" "ssh" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_firewall" "api_server" {
|
resource "google_compute_firewall" "api_server" {
|
||||||
|
count = length(var.api_server_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-api-server-firewall"
|
name = "${var.prefix}-api-server-firewall"
|
||||||
network = google_compute_network.main.name
|
network = google_compute_network.main.name
|
||||||
|
|
||||||
|
@ -71,6 +75,8 @@ resource "google_compute_firewall" "api_server" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_firewall" "nodeport" {
|
resource "google_compute_firewall" "nodeport" {
|
||||||
|
count = length(var.nodeport_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-nodeport-firewall"
|
name = "${var.prefix}-nodeport-firewall"
|
||||||
network = google_compute_network.main.name
|
network = google_compute_network.main.name
|
||||||
|
|
||||||
|
@ -85,12 +91,14 @@ resource "google_compute_firewall" "nodeport" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_firewall" "ingress_http" {
|
resource "google_compute_firewall" "ingress_http" {
|
||||||
|
count = length(var.ingress_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-http-ingress-firewall"
|
name = "${var.prefix}-http-ingress-firewall"
|
||||||
network = google_compute_network.main.name
|
network = google_compute_network.main.name
|
||||||
|
|
||||||
priority = 100
|
priority = 100
|
||||||
|
|
||||||
source_ranges = ["0.0.0.0/0"]
|
source_ranges = var.ingress_whitelist
|
||||||
|
|
||||||
allow {
|
allow {
|
||||||
protocol = "tcp"
|
protocol = "tcp"
|
||||||
|
@ -99,12 +107,14 @@ resource "google_compute_firewall" "ingress_http" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_firewall" "ingress_https" {
|
resource "google_compute_firewall" "ingress_https" {
|
||||||
|
count = length(var.ingress_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-https-ingress-firewall"
|
name = "${var.prefix}-https-ingress-firewall"
|
||||||
network = google_compute_network.main.name
|
network = google_compute_network.main.name
|
||||||
|
|
||||||
priority = 100
|
priority = 100
|
||||||
|
|
||||||
source_ranges = ["0.0.0.0/0"]
|
source_ranges = var.ingress_whitelist
|
||||||
|
|
||||||
allow {
|
allow {
|
||||||
protocol = "tcp"
|
protocol = "tcp"
|
||||||
|
@ -247,14 +257,18 @@ resource "google_compute_instance" "master" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_forwarding_rule" "master_lb" {
|
resource "google_compute_forwarding_rule" "master_lb" {
|
||||||
|
count = length(var.api_server_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-master-lb-forward-rule"
|
name = "${var.prefix}-master-lb-forward-rule"
|
||||||
|
|
||||||
port_range = "6443"
|
port_range = "6443"
|
||||||
|
|
||||||
target = google_compute_target_pool.master_lb.id
|
target = google_compute_target_pool.master_lb[count.index].id
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_target_pool" "master_lb" {
|
resource "google_compute_target_pool" "master_lb" {
|
||||||
|
count = length(var.api_server_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-master-lb-pool"
|
name = "${var.prefix}-master-lb-pool"
|
||||||
instances = local.master_target_list
|
instances = local.master_target_list
|
||||||
}
|
}
|
||||||
|
@ -349,30 +363,38 @@ resource "google_compute_instance" "worker" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_address" "worker_lb" {
|
resource "google_compute_address" "worker_lb" {
|
||||||
|
count = length(var.ingress_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-worker-lb-address"
|
name = "${var.prefix}-worker-lb-address"
|
||||||
address_type = "EXTERNAL"
|
address_type = "EXTERNAL"
|
||||||
region = var.region
|
region = var.region
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_forwarding_rule" "worker_http_lb" {
|
resource "google_compute_forwarding_rule" "worker_http_lb" {
|
||||||
|
count = length(var.ingress_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-worker-http-lb-forward-rule"
|
name = "${var.prefix}-worker-http-lb-forward-rule"
|
||||||
|
|
||||||
ip_address = google_compute_address.worker_lb.address
|
ip_address = google_compute_address.worker_lb[count.index].address
|
||||||
port_range = "80"
|
port_range = "80"
|
||||||
|
|
||||||
target = google_compute_target_pool.worker_lb.id
|
target = google_compute_target_pool.worker_lb[count.index].id
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_forwarding_rule" "worker_https_lb" {
|
resource "google_compute_forwarding_rule" "worker_https_lb" {
|
||||||
|
count = length(var.ingress_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-worker-https-lb-forward-rule"
|
name = "${var.prefix}-worker-https-lb-forward-rule"
|
||||||
|
|
||||||
ip_address = google_compute_address.worker_lb.address
|
ip_address = google_compute_address.worker_lb[count.index].address
|
||||||
port_range = "443"
|
port_range = "443"
|
||||||
|
|
||||||
target = google_compute_target_pool.worker_lb.id
|
target = google_compute_target_pool.worker_lb[count.index].id
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_target_pool" "worker_lb" {
|
resource "google_compute_target_pool" "worker_lb" {
|
||||||
|
count = length(var.ingress_whitelist) > 0 ? 1 : 0
|
||||||
|
|
||||||
name = "${var.prefix}-worker-lb-pool"
|
name = "${var.prefix}-worker-lb-pool"
|
||||||
instances = local.worker_target_list
|
instances = local.worker_target_list
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,9 +19,9 @@ output "worker_ip_addresses" {
|
||||||
}
|
}
|
||||||
|
|
||||||
output "ingress_controller_lb_ip_address" {
|
output "ingress_controller_lb_ip_address" {
|
||||||
value = google_compute_address.worker_lb.address
|
value = length(var.ingress_whitelist) > 0 ? google_compute_address.worker_lb.0.address : ""
|
||||||
}
|
}
|
||||||
|
|
||||||
output "control_plane_lb_ip_address" {
|
output "control_plane_lb_ip_address" {
|
||||||
value = google_compute_forwarding_rule.master_lb.ip_address
|
value = length(var.api_server_whitelist) > 0 ? google_compute_forwarding_rule.master_lb.0.ip_address : ""
|
||||||
}
|
}
|
||||||
|
|
|
@ -65,6 +65,11 @@ variable "nodeport_whitelist" {
|
||||||
type = list(string)
|
type = list(string)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "ingress_whitelist" {
|
||||||
|
type = list(string)
|
||||||
|
default = ["0.0.0.0/0"]
|
||||||
|
}
|
||||||
|
|
||||||
variable "private_network_cidr" {
|
variable "private_network_cidr" {
|
||||||
default = "10.0.10.0/24"
|
default = "10.0.10.0/24"
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,6 +16,9 @@
|
||||||
"nodeport_whitelist": [
|
"nodeport_whitelist": [
|
||||||
"1.2.3.4/32"
|
"1.2.3.4/32"
|
||||||
],
|
],
|
||||||
|
"ingress_whitelist": [
|
||||||
|
"0.0.0.0/0"
|
||||||
|
],
|
||||||
|
|
||||||
"machines": {
|
"machines": {
|
||||||
"master-0": {
|
"master-0": {
|
||||||
|
|
|
@ -90,3 +90,8 @@ variable api_server_whitelist {
|
||||||
variable nodeport_whitelist {
|
variable nodeport_whitelist {
|
||||||
type = list(string)
|
type = list(string)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "ingress_whitelist" {
|
||||||
|
type = list(string)
|
||||||
|
default = ["0.0.0.0/0"]
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue