Skip to content

Commit

Permalink
feat: add default network policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@ArchiFleKs
ArchiFleKs committed Jun 12, 2019
1 parent 16a8475 commit 7234a55
Show file tree
Hide file tree
Showing 12 changed files with 573 additions and 0 deletions.
41 changes: 41 additions & 0 deletions terraform/modules/eks-addons/cert-manager.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,47 @@ resource "helm_release" "cert_manager" {
namespace = "${var.cert_manager["namespace"]}"
}

resource "kubernetes_network_policy" "cert_manager_default_deny" {
count = "${var.cert_manager["enabled"] * var.cert_manager["default_network_policy"]}"
metadata {
name = "${var.cert_manager["namespace"]}-default-deny"
namespace = "${var.cert_manager["namespace"]}"
}

spec {
pod_selector {}
policy_types = ["Ingress"]
}
}

resource "kubernetes_network_policy" "cert_manager_allow_namespace" {
count = "${var.cert_manager["enabled"] * var.cert_manager["default_network_policy"]}"
metadata {
name = "${var.cert_manager["namespace"]}-allow-namespace"
namespace = "${var.cert_manager["namespace"]}"
}

spec {
pod_selector {}

ingress = [
{
from = [
{
namespace_selector {
match_labels = {
name = "${var.cert_manager["namespace"]}"
}
}
}
]
}
]

policy_types = ["Ingress"]
}
}

output "cert_manager_cluster_issuers" {
value = "${data.template_file.cluster_issuers.rendered}"
}
41 changes: 41 additions & 0 deletions terraform/modules/eks-addons/cluster-autoscaler.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,44 @@ resource "helm_release" "cluster_autoscaler" {
values = ["${concat(list(var.cluster_autoscaler["use_kiam"] ? local.values_cluster_autoscaler_kiam : local.values_cluster_autoscaler),list(var.cluster_autoscaler["extra_values"]))}"]
namespace = "${var.cluster_autoscaler["namespace"]}"
}

resource "kubernetes_network_policy" "cluster_autoscaler_default_deny" {
count = "${var.cluster_autoscaler["enabled"] * var.cluster_autoscaler["default_network_policy"]}"
metadata {
name = "${var.cluster_autoscaler["namespace"]}-default-deny"
namespace = "${var.cluster_autoscaler["namespace"]}"
}

spec {
pod_selector {}
policy_types = ["Ingress"]
}
}

resource "kubernetes_network_policy" "cluster_autoscaler_allow_namespace" {
count = "${var.cluster_autoscaler["enabled"] * var.cluster_autoscaler["default_network_policy"]}"
metadata {
name = "${var.cluster_autoscaler["namespace"]}-allow-namespace"
namespace = "${var.cluster_autoscaler["namespace"]}"
}

spec {
pod_selector {}

ingress = [
{
from = [
{
namespace_selector {
match_labels = {
name = "${var.cluster_autoscaler["namespace"]}"
}
}
}
]
}
]

policy_types = ["Ingress"]
}
}
41 changes: 41 additions & 0 deletions terraform/modules/eks-addons/external-dns.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,44 @@ resource "helm_release" "external_dns" {
values = ["${concat(list(var.external_dns["use_kiam"] ? local.values_external_dns_kiam : local.values_external_dns),list(var.external_dns["extra_values"]))}"]
namespace = "${var.external_dns["namespace"]}"
}

resource "kubernetes_network_policy" "external_dns_default_deny" {
count = "${var.external_dns["enabled"] * var.external_dns["default_network_policy"]}"
metadata {
name = "${var.external_dns["namespace"]}-default-deny"
namespace = "${var.external_dns["namespace"]}"
}

spec {
pod_selector {}
policy_types = ["Ingress"]
}
}

resource "kubernetes_network_policy" "external_dns_allow_namespace" {
count = "${var.external_dns["enabled"] * var.external_dns["default_network_policy"]}"
metadata {
name = "${var.external_dns["namespace"]}-allow-namespace"
namespace = "${var.external_dns["namespace"]}"
}

spec {
pod_selector {}

ingress = [
{
from = [
{
namespace_selector {
match_labels = {
name = "${var.external_dns["namespace"]}"
}
}
}
]
}
]

policy_types = ["Ingress"]
}
}
41 changes: 41 additions & 0 deletions terraform/modules/eks-addons/fluentd-cloudwatch.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,3 +61,44 @@ resource "helm_release" "fluentd_cloudwatch" {
values = ["${concat(list(var.fluentd_cloudwatch["use_kiam"] ? local.values_fluentd_cloudwatch_kiam : local.values_fluentd_cloudwatch),list(var.fluentd_cloudwatch["extra_values"]))}"]
namespace = "${var.fluentd_cloudwatch["namespace"]}"
}

resource "kubernetes_network_policy" "fluentd_cloudwatch_default_deny" {
count = "${var.fluentd_cloudwatch["enabled"] * var.fluentd_cloudwatch["default_network_policy"]}"
metadata {
name = "${var.fluentd_cloudwatch["namespace"]}-default-deny"
namespace = "${var.fluentd_cloudwatch["namespace"]}"
}

spec {
pod_selector {}
policy_types = ["Ingress"]
}
}

resource "kubernetes_network_policy" "fluentd_cloudwatch_allow_namespace" {
count = "${var.fluentd_cloudwatch["enabled"] * var.fluentd_cloudwatch["default_network_policy"]}"
metadata {
name = "${var.fluentd_cloudwatch["namespace"]}-allow-namespace"
namespace = "${var.fluentd_cloudwatch["namespace"]}"
}

spec {
pod_selector {}

ingress = [
{
from = [
{
namespace_selector {
match_labels = {
name = "${var.fluentd_cloudwatch["namespace"]}"
}
}
}
]
}
]

policy_types = ["Ingress"]
}
}
41 changes: 41 additions & 0 deletions terraform/modules/eks-addons/flux.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,44 @@ resource "helm_release" "flux" {
values = ["${concat(list(local.values_flux),list(var.flux["extra_values"]))}"]
namespace = "${var.flux["namespace"]}"
}

resource "kubernetes_network_policy" "flux_default_deny" {
count = "${var.flux["enabled"] * var.flux["default_network_policy"]}"
metadata {
name = "${var.flux["namespace"]}-default-deny"
namespace = "${var.flux["namespace"]}"
}

spec {
pod_selector {}
policy_types = ["Ingress"]
}
}

resource "kubernetes_network_policy" "flux_allow_namespace" {
count = "${var.flux["enabled"] * var.flux["default_network_policy"]}"
metadata {
name = "${var.flux["namespace"]}-allow-namespace"
namespace = "${var.flux["namespace"]}"
}

spec {
pod_selector {}

ingress = [
{
from = [
{
namespace_selector {
match_labels = {
name = "${var.flux["namespace"]}"
}
}
}
]
}
]

policy_types = ["Ingress"]
}
}
41 changes: 41 additions & 0 deletions terraform/modules/eks-addons/kiam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,47 @@ resource "tls_locally_signed_cert" "kiam_server_crt" {
]
}

resource "kubernetes_network_policy" "kiam_default_deny" {
count = "${var.kiam["enabled"] * var.kiam["default_network_policy"]}"
metadata {
name = "${var.kiam["namespace"]}-default-deny"
namespace = "${var.kiam["namespace"]}"
}

spec {
pod_selector {}
policy_types = ["Ingress"]
}
}

resource "kubernetes_network_policy" "kiam_allow_namespace" {
count = "${var.kiam["enabled"] * var.kiam["default_network_policy"]}"
metadata {
name = "${var.kiam["namespace"]}-allow-namespace"
namespace = "${var.kiam["namespace"]}"
}

spec {
pod_selector {}

ingress = [
{
from = [
{
namespace_selector {
match_labels = {
name = "${var.kiam["namespace"]}"
}
}
}
]
}
]

policy_types = ["Ingress"]
}
}

output "kiam_ca_crt" {
value = "${tls_self_signed_cert.kiam_ca_crt.*.cert_pem}"
}
Expand Down
75 changes: 75 additions & 0 deletions terraform/modules/eks-addons/kube-prometheus.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,81 @@ resource "helm_release" "prometheus_operator" {
namespace = "${var.prometheus_operator["namespace"]}"
}

resource "kubernetes_network_policy" "prometheus_operator_default_deny" {
count = "${var.prometheus_operator["enabled"] * var.prometheus_operator["default_network_policy"]}"
metadata {
name = "${var.prometheus_operator["namespace"]}-default-deny"
namespace = "${var.prometheus_operator["namespace"]}"
}

spec {
pod_selector {}
policy_types = ["Ingress"]
}
}

resource "kubernetes_network_policy" "prometheus_operator_allow_namespace" {
count = "${var.prometheus_operator["enabled"] * var.prometheus_operator["default_network_policy"]}"
metadata {
name = "${var.prometheus_operator["namespace"]}-allow-namespace"
namespace = "${var.prometheus_operator["namespace"]}"
}

spec {
pod_selector {}

ingress = [
{
from = [
{
namespace_selector {
match_labels = {
name = "${var.prometheus_operator["namespace"]}"
}
}
}
]
}
]

policy_types = ["Ingress"]
}
}

resource "kubernetes_network_policy" "prometheus_operator_allow_ingress_nginx" {
count = "${var.prometheus_operator["enabled"] * var.prometheus_operator["default_network_policy"]}"
metadata {
name = "${var.prometheus_operator["namespace"]}-allow-ingress-nginx"
namespace = "${var.prometheus_operator["namespace"]}"
}

spec {
pod_selector {
match_expressions {
key = "app"
operator = "In"
values = ["grafana"]
}
}

ingress = [
{
from = [
{
namespace_selector {
match_labels = {
name = "${var.nginx_ingress["namespace"]}"
}
}
}
]
}
]

policy_types = ["Ingress"]
}
}

output "grafana_password" {
value = "${random_string.grafana_password.*.result}"
}
Loading

0 comments on commit 7234a55

Please sign in to comment.