Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use default-deny patterns #11

Merged
merged 2 commits into from
Aug 30, 2024
Merged

Use default-deny patterns #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
62a4cf1
Use default-deny patterns
brettcurtis Aug 30, 2024
a31b3a8
Add code comment
brettcurtis Aug 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions regional/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ No requirements.

| Name | Version |
|------|---------|
| <a name="provider_google"></a> [google](#provider\_google) | 6.0.1 |
| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.15.0 |
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.32.0 |
| <a name="provider_google"></a> [google](#provider\_google) | 5.40.0 |
| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.14.1 |
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.31.0 |

## Modules

Expand Down
3 changes: 2 additions & 1 deletion regional/manifests/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ No requirements.

| Name | Version |
|------|---------|
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.32.0 |
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.31.0 |

## Modules

Expand All @@ -20,6 +20,7 @@ No modules.
| Name | Type |
|------|------|
| [kubernetes_manifest.gke_info_istio_virtual_services](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_authorization_policy](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
brettcurtis marked this conversation as resolved.
Show resolved Hide resolved
| [kubernetes_manifest.istio_cluster_services_destination_rule](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_kubernetes_default_destination_rule](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
Expand Down
200 changes: 111 additions & 89 deletions regional/manifests/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,37 +3,37 @@

resource "kubernetes_manifest" "istio_cluster_services_destination_rule" {
manifest = {
"apiVersion" = "networking.istio.io/v1beta1"
"kind" = "DestinationRule"
apiVersion = "networking.istio.io/v1beta1"
kind = "DestinationRule"

"metadata" = {
"name" = "cluster-services"
"namespace" = "istio-system"
metadata = {
name = "cluster-services"
namespace = "istio-system"
}

"spec" = {
"host" = "*.svc.cluster.local"
spec = {
host = "*.svc.cluster.local"

"trafficPolicy" = {
"connectionPool" = {
trafficPolicy = {
connectionPool = {

# ConnectionPoolSettings
# https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings

"http" = {
"maxRequestsPerConnection" = 0 # This is the default value
http = {
maxRequestsPerConnection = 0 # This is the default value
}
}

"loadBalancer" = {
"simple" = "LEAST_REQUEST"
"localityLbSetting" = {
"enabled" = true
loadBalancer = {
simple = "LEAST_REQUEST"
localityLbSetting = {
enabled = true

"failover" = [
failover = [
{
"from" = var.istio_failover_from_region
"to" = var.istio_failover_to_region
from = var.istio_failover_from_region
to = var.istio_failover_to_region
}
]
}
Expand All @@ -42,14 +42,14 @@ resource "kubernetes_manifest" "istio_cluster_services_destination_rule" {
# OutlierDetection
# https://istio.io/latest/docs/reference/config/networking/destination-rule/#OutlierDetection

"outlierDetection" = {
outlierDetection = {

# These are the default values

"consecutive5xxErrors" = 5
"interval" = "10s"
"baseEjectionTime" = "30s"
"maxEjectionPercent" = 10
consecutive5xxErrors = 5
interval = "10s"
baseEjectionTime = "30s"
maxEjectionPercent = 10
}
}
}
Expand All @@ -58,20 +58,20 @@ resource "kubernetes_manifest" "istio_cluster_services_destination_rule" {

resource "kubernetes_manifest" "istio_kubernetes_default_destination_rule" {
manifest = {
"apiVersion" = "networking.istio.io/v1beta1"
"kind" = "DestinationRule"
apiVersion = "networking.istio.io/v1beta1"
kind = "DestinationRule"

"metadata" = {
"name" = "kubernetes-default"
"namespace" = "istio-system"
metadata = {
name = "kubernetes-default"
namespace = "istio-system"
}

"spec" = {
"host" = "kubernetes.default.svc"
spec = {
host = "kubernetes.default.svc"

"trafficPolicy" = {
"tls" = {
"mode" = "DISABLE"
trafficPolicy = {
tls = {
mode = "DISABLE"
}
}
}
Expand All @@ -80,32 +80,32 @@ resource "kubernetes_manifest" "istio_kubernetes_default_destination_rule" {

resource "kubernetes_manifest" "istio_gateway" {
manifest = {
"apiVersion" = "networking.istio.io/v1beta1"
"kind" = "Gateway"
apiVersion = "networking.istio.io/v1beta1"
kind = "Gateway"

"metadata" = {
"name" = "global"
"namespace" = "istio-ingress"
metadata = {
name = "global"
namespace = "istio-ingress"
}

"spec" = {
"selector" = {
"istio" = "gateway"
spec = {
selector = {
istio = "gateway"
}

"servers" = [
servers = [
{
"port" = {
"name" = "https"
"number" = 443
"protocol" = "HTTPS"
port = {
name = "https"
number = 443
protocol = "HTTPS"
}

"hosts" = [
hosts = [
"*"
]

"tls" = {
tls = {

# As part of the incoming TLS connection, the gateway will decrypt the traffic in order to apply the routing rules.
# This is an additional manual step to configure the gateway to use the TLS certificate. This is not recommended for production use.
Expand All @@ -114,8 +114,8 @@ resource "kubernetes_manifest" "istio_gateway" {
# openssl x509 -req -sha256 -days 365 -CA osinfra.io.crt -CAkey osinfra.io.key -set_serial 0 -in gateway.istio-ingress.svc.cluster.local.csr -out gateway.istio-ingress.svc.cluster.local.crt
# kubectl create -n istio-ingress secret tls gateway-tls --key=gateway.istio-ingress.svc.cluster.local.key --cert=gateway.istio-ingress.svc.cluster.local.crt

"mode" = "SIMPLE"
"credentialName" = "gateway-tls"
mode = "SIMPLE"
credentialName = "gateway-tls"
}
}
]
Expand All @@ -125,50 +125,68 @@ resource "kubernetes_manifest" "istio_gateway" {

resource "kubernetes_manifest" "istio_peer_authentication" {
manifest = {
"apiVersion" = "security.istio.io/v1beta1"
"kind" = "PeerAuthentication"
apiVersion = "security.istio.io/v1beta1"
kind = "PeerAuthentication"

"metadata" = {
"name" = "default"
"namespace" = "istio-system"
metadata = {
name = "default"
namespace = "istio-system"
}

"spec" = {
"mtls" = {
"mode" = "STRICT"
spec = {
mtls = {
mode = "STRICT"
}
}
}
}

resource "kubernetes_manifest" "istio_authorization_policy" {
manifest = {
apiVersion = "security.istio.io/v1"
kind = "AuthorizationPolicy"

metadata = {
name = "deny-all"
namespace = "istio-system"
}

# It's recommended to define authorization policies following the default-deny pattern to enhance your cluster’s security posture.
# The spec field of the policy has the empty value {}. That value means that no traffic is permitted, effectively denying all requests.

spec = {}
}
}

resource "kubernetes_manifest" "istio_virtual_services" {
for_each = merge(var.istio_virtual_services, var.common_istio_virtual_services)

manifest = {
"apiVersion" = "networking.istio.io/v1beta1"
"kind" = "VirtualService"
apiVersion = "networking.istio.io/v1beta1"
kind = "VirtualService"

"metadata" = {
"name" = each.key
"namespace" = "istio-ingress"
metadata = {
name = each.key
namespace = "istio-ingress"
}

"spec" = {
"gateways" = [
spec = {
gateways = [
kubernetes_manifest.istio_gateway.manifest.metadata.name
]
"hosts" = [

hosts = [
each.value.host
]

"http" = [
http = [
{
"route" = [
route = [
{
"destination" = {
"host" = each.value.destination_host
"port" = {
"number" = each.value.destination_port
destination = {
host = each.value.destination_host
port = {
number = each.value.destination_port
}
}
}
Expand All @@ -183,34 +201,38 @@ resource "kubernetes_manifest" "gke_info_istio_virtual_services" {
for_each = merge(var.gke_info_istio_virtual_services, var.common_gke_info_istio_virtual_services)

manifest = {
"apiVersion" = "networking.istio.io/v1beta1"
"kind" = "VirtualService"
"metadata" = {
"name" = each.key
"namespace" = "istio-ingress"
apiVersion = "networking.istio.io/v1beta1"
kind = "VirtualService"
metadata = {
name = each.key
namespace = "istio-ingress"
}
"spec" = {
"gateways" = [

spec = {
gateways = [
kubernetes_manifest.istio_gateway.manifest.metadata.name
]
"hosts" = [

hosts = [
each.value.host
]
"http" = [

http = [
{
"match" = [
match = [
{
"uri" = {
"prefix" = "/gke-info-go"
uri = {
prefix = "/gke-info-go"
}
}
]
"route" = [

route = [
{
"destination" = {
"host" = each.value.destination_host
"port" = {
"number" = 8080
destination = {
host = each.value.destination_host
port = {
number = 8080
}
}
}
Expand Down