From 7234a55c3250afb45b03c6a7377edd167e107041 Mon Sep 17 00:00:00 2001 From: ArchiFleKs Date: Wed, 12 Jun 2019 18:44:47 +0200 Subject: [PATCH] feat: add default network policy --- terraform/modules/eks-addons/cert-manager.tf | 41 +++++++++ .../modules/eks-addons/cluster-autoscaler.tf | 41 +++++++++ terraform/modules/eks-addons/external-dns.tf | 41 +++++++++ .../modules/eks-addons/fluentd-cloudwatch.tf | 41 +++++++++ terraform/modules/eks-addons/flux.tf | 41 +++++++++ terraform/modules/eks-addons/kiam.tf | 41 +++++++++ .../modules/eks-addons/kube-prometheus.tf | 75 +++++++++++++++++ .../modules/eks-addons/metrics-server.tf | 41 +++++++++ terraform/modules/eks-addons/nginx-ingress.tf | 84 +++++++++++++++++++ .../eks-addons/node-problem-detector.tf | 41 +++++++++ .../modules/eks-addons/sealed-secrets.tf | 41 +++++++++ .../modules/eks-addons/virtual-kubelet.tf | 45 ++++++++++ 12 files changed, 573 insertions(+) diff --git a/terraform/modules/eks-addons/cert-manager.tf b/terraform/modules/eks-addons/cert-manager.tf index f1ed9b0f..fd1ffecf 100644 --- a/terraform/modules/eks-addons/cert-manager.tf +++ b/terraform/modules/eks-addons/cert-manager.tf @@ -59,6 +59,47 @@ resource "helm_release" "cert_manager" { namespace = "${var.cert_manager["namespace"]}" } +resource "kubernetes_network_policy" "cert_manager_default_deny" { + count = "${var.cert_manager["enabled"] * var.cert_manager["default_network_policy"]}" + metadata { + name = "${var.cert_manager["namespace"]}-default-deny" + namespace = "${var.cert_manager["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "cert_manager_allow_namespace" { + count = "${var.cert_manager["enabled"] * var.cert_manager["default_network_policy"]}" + metadata { + name = "${var.cert_manager["namespace"]}-allow-namespace" + namespace = "${var.cert_manager["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.cert_manager["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} + output "cert_manager_cluster_issuers" { value = "${data.template_file.cluster_issuers.rendered}" } diff --git a/terraform/modules/eks-addons/cluster-autoscaler.tf b/terraform/modules/eks-addons/cluster-autoscaler.tf index d4381157..ae2faded 100644 --- a/terraform/modules/eks-addons/cluster-autoscaler.tf +++ b/terraform/modules/eks-addons/cluster-autoscaler.tf @@ -59,3 +59,44 @@ resource "helm_release" "cluster_autoscaler" { values = ["${concat(list(var.cluster_autoscaler["use_kiam"] ? local.values_cluster_autoscaler_kiam : local.values_cluster_autoscaler),list(var.cluster_autoscaler["extra_values"]))}"] namespace = "${var.cluster_autoscaler["namespace"]}" } + +resource "kubernetes_network_policy" "cluster_autoscaler_default_deny" { + count = "${var.cluster_autoscaler["enabled"] * var.cluster_autoscaler["default_network_policy"]}" + metadata { + name = "${var.cluster_autoscaler["namespace"]}-default-deny" + namespace = "${var.cluster_autoscaler["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "cluster_autoscaler_allow_namespace" { + count = "${var.cluster_autoscaler["enabled"] * var.cluster_autoscaler["default_network_policy"]}" + metadata { + name = "${var.cluster_autoscaler["namespace"]}-allow-namespace" + namespace = "${var.cluster_autoscaler["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.cluster_autoscaler["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} diff --git a/terraform/modules/eks-addons/external-dns.tf b/terraform/modules/eks-addons/external-dns.tf index 66ca5899..363f33fa 100644 --- a/terraform/modules/eks-addons/external-dns.tf +++ b/terraform/modules/eks-addons/external-dns.tf @@ -53,3 +53,44 @@ resource "helm_release" "external_dns" { values = ["${concat(list(var.external_dns["use_kiam"] ? local.values_external_dns_kiam : local.values_external_dns),list(var.external_dns["extra_values"]))}"] namespace = "${var.external_dns["namespace"]}" } + +resource "kubernetes_network_policy" "external_dns_default_deny" { + count = "${var.external_dns["enabled"] * var.external_dns["default_network_policy"]}" + metadata { + name = "${var.external_dns["namespace"]}-default-deny" + namespace = "${var.external_dns["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "external_dns_allow_namespace" { + count = "${var.external_dns["enabled"] * var.external_dns["default_network_policy"]}" + metadata { + name = "${var.external_dns["namespace"]}-allow-namespace" + namespace = "${var.external_dns["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.external_dns["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} diff --git a/terraform/modules/eks-addons/fluentd-cloudwatch.tf b/terraform/modules/eks-addons/fluentd-cloudwatch.tf index ef735d9a..77c7375f 100644 --- a/terraform/modules/eks-addons/fluentd-cloudwatch.tf +++ b/terraform/modules/eks-addons/fluentd-cloudwatch.tf @@ -61,3 +61,44 @@ resource "helm_release" "fluentd_cloudwatch" { values = ["${concat(list(var.fluentd_cloudwatch["use_kiam"] ? local.values_fluentd_cloudwatch_kiam : local.values_fluentd_cloudwatch),list(var.fluentd_cloudwatch["extra_values"]))}"] namespace = "${var.fluentd_cloudwatch["namespace"]}" } + +resource "kubernetes_network_policy" "fluentd_cloudwatch_default_deny" { + count = "${var.fluentd_cloudwatch["enabled"] * var.fluentd_cloudwatch["default_network_policy"]}" + metadata { + name = "${var.fluentd_cloudwatch["namespace"]}-default-deny" + namespace = "${var.fluentd_cloudwatch["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "fluentd_cloudwatch_allow_namespace" { + count = "${var.fluentd_cloudwatch["enabled"] * var.fluentd_cloudwatch["default_network_policy"]}" + metadata { + name = "${var.fluentd_cloudwatch["namespace"]}-allow-namespace" + namespace = "${var.fluentd_cloudwatch["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.fluentd_cloudwatch["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} diff --git a/terraform/modules/eks-addons/flux.tf b/terraform/modules/eks-addons/flux.tf index f34a8797..102d4949 100644 --- a/terraform/modules/eks-addons/flux.tf +++ b/terraform/modules/eks-addons/flux.tf @@ -18,3 +18,44 @@ resource "helm_release" "flux" { values = ["${concat(list(local.values_flux),list(var.flux["extra_values"]))}"] namespace = "${var.flux["namespace"]}" } + +resource "kubernetes_network_policy" "flux_default_deny" { + count = "${var.flux["enabled"] * var.flux["default_network_policy"]}" + metadata { + name = "${var.flux["namespace"]}-default-deny" + namespace = "${var.flux["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "flux_allow_namespace" { + count = "${var.flux["enabled"] * var.flux["default_network_policy"]}" + metadata { + name = "${var.flux["namespace"]}-allow-namespace" + namespace = "${var.flux["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.flux["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} diff --git a/terraform/modules/eks-addons/kiam.tf b/terraform/modules/eks-addons/kiam.tf index 67e25aa3..f0f9ac6c 100644 --- a/terraform/modules/eks-addons/kiam.tf +++ b/terraform/modules/eks-addons/kiam.tf @@ -156,6 +156,47 @@ resource "tls_locally_signed_cert" "kiam_server_crt" { ] } +resource "kubernetes_network_policy" "kiam_default_deny" { + count = "${var.kiam["enabled"] * var.kiam["default_network_policy"]}" + metadata { + name = "${var.kiam["namespace"]}-default-deny" + namespace = "${var.kiam["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "kiam_allow_namespace" { + count = "${var.kiam["enabled"] * var.kiam["default_network_policy"]}" + metadata { + name = "${var.kiam["namespace"]}-allow-namespace" + namespace = "${var.kiam["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.kiam["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} + output "kiam_ca_crt" { value = "${tls_self_signed_cert.kiam_ca_crt.*.cert_pem}" } diff --git a/terraform/modules/eks-addons/kube-prometheus.tf b/terraform/modules/eks-addons/kube-prometheus.tf index 1156f79c..8808554b 100644 --- a/terraform/modules/eks-addons/kube-prometheus.tf +++ b/terraform/modules/eks-addons/kube-prometheus.tf @@ -30,6 +30,81 @@ resource "helm_release" "prometheus_operator" { namespace = "${var.prometheus_operator["namespace"]}" } +resource "kubernetes_network_policy" "prometheus_operator_default_deny" { + count = "${var.prometheus_operator["enabled"] * var.prometheus_operator["default_network_policy"]}" + metadata { + name = "${var.prometheus_operator["namespace"]}-default-deny" + namespace = "${var.prometheus_operator["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "prometheus_operator_allow_namespace" { + count = "${var.prometheus_operator["enabled"] * var.prometheus_operator["default_network_policy"]}" + metadata { + name = "${var.prometheus_operator["namespace"]}-allow-namespace" + namespace = "${var.prometheus_operator["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.prometheus_operator["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "prometheus_operator_allow_ingress_nginx" { + count = "${var.prometheus_operator["enabled"] * var.prometheus_operator["default_network_policy"]}" + metadata { + name = "${var.prometheus_operator["namespace"]}-allow-ingress-nginx" + namespace = "${var.prometheus_operator["namespace"]}" + } + + spec { + pod_selector { + match_expressions { + key = "app" + operator = "In" + values = ["grafana"] + } + } + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.nginx_ingress["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} + output "grafana_password" { value = "${random_string.grafana_password.*.result}" } diff --git a/terraform/modules/eks-addons/metrics-server.tf b/terraform/modules/eks-addons/metrics-server.tf index 65c42ab9..fd38d3e0 100644 --- a/terraform/modules/eks-addons/metrics-server.tf +++ b/terraform/modules/eks-addons/metrics-server.tf @@ -19,3 +19,44 @@ resource "helm_release" "metrics_server" { values = ["${concat(list(local.values_metrics_server),list(var.metrics_server["extra_values"]))}"] namespace = "${var.metrics_server["namespace"]}" } + +resource "kubernetes_network_policy" "metrics_server_default_deny" { + count = "${var.metrics_server["enabled"] * var.metrics_server["default_network_policy"]}" + metadata { + name = "${var.metrics_server["namespace"]}-default-deny" + namespace = "${var.metrics_server["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "metrics_server_allow_namespace" { + count = "${var.metrics_server["enabled"] * var.metrics_server["default_network_policy"]}" + metadata { + name = "${var.metrics_server["namespace"]}-allow-namespace" + namespace = "${var.metrics_server["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.metrics_server["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} diff --git a/terraform/modules/eks-addons/nginx-ingress.tf b/terraform/modules/eks-addons/nginx-ingress.tf index 2f89c098..1dd15398 100644 --- a/terraform/modules/eks-addons/nginx-ingress.tf +++ b/terraform/modules/eks-addons/nginx-ingress.tf @@ -71,3 +71,87 @@ resource "helm_release" "nginx_ingress" { values = ["${concat(list(var.nginx_ingress["use_nlb"] ? local.values_nginx_ingress_nlb : var.nginx_ingress["use_l7"] ? local.values_nginx_ingress_l7 : local.values_nginx_ingress_l4),list(var.nginx_ingress["extra_values"]))}"] namespace = "${var.nginx_ingress["namespace"]}" } + +resource "kubernetes_network_policy" "nginx_ingress_default_deny" { + count = "${var.nginx_ingress["enabled"] * var.nginx_ingress["default_network_policy"]}" + metadata { + name = "${var.nginx_ingress["namespace"]}-default-deny" + namespace = "${var.nginx_ingress["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "nginx_ingress_allow_namespace" { + count = "${var.nginx_ingress["enabled"] * var.nginx_ingress["default_network_policy"]}" + metadata { + name = "${var.nginx_ingress["namespace"]}-allow-namespace" + namespace = "${var.nginx_ingress["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.nginx_ingress["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "nginx_ingress_allow_ingress" { + count = "${var.nginx_ingress["enabled"] * var.nginx_ingress["default_network_policy"]}" + metadata { + name = "${var.nginx_ingress["namespace"]}-allow-ingress" + namespace = "${var.nginx_ingress["namespace"]}" + } + + spec { + pod_selector { + match_expressions { + key = "app" + operator = "In" + values = ["nginx-ingress"] + } + } + + ingress = [ + { + ports = [ + { + port = "80" + protocol = "TCP" + }, + { + port = "443" + protocol = "TCP" + }, + ] + + from = [ + { + ip_block { + cidr = "172.30.0.0/16" + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} diff --git a/terraform/modules/eks-addons/node-problem-detector.tf b/terraform/modules/eks-addons/node-problem-detector.tf index 1b403591..55341fc7 100644 --- a/terraform/modules/eks-addons/node-problem-detector.tf +++ b/terraform/modules/eks-addons/node-problem-detector.tf @@ -23,3 +23,44 @@ resource "helm_release" "node_problem_detector" { values = ["${concat(list(local.values_npd),list(var.npd["extra_values"]))}"] namespace = "${var.npd["namespace"]}" } + +resource "kubernetes_network_policy" "npd_default_deny" { + count = "${var.npd["enabled"] * var.npd["default_network_policy"]}" + metadata { + name = "${var.npd["namespace"]}-default-deny" + namespace = "${var.npd["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "npd_allow_namespace" { + count = "${var.npd["enabled"] * var.npd["default_network_policy"]}" + metadata { + name = "${var.npd["namespace"]}-allow-namespace" + namespace = "${var.npd["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.npd["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} diff --git a/terraform/modules/eks-addons/sealed-secrets.tf b/terraform/modules/eks-addons/sealed-secrets.tf index b5006da4..c69c9241 100644 --- a/terraform/modules/eks-addons/sealed-secrets.tf +++ b/terraform/modules/eks-addons/sealed-secrets.tf @@ -14,3 +14,44 @@ resource "helm_release" "sealed_secrets" { values = ["${concat(list(local.values_sealed_secrets),list(var.sealed_secrets["extra_values"]))}"] namespace = "${var.sealed_secrets["namespace"]}" } + +resource "kubernetes_network_policy" "sealed_secrets_default_deny" { + count = "${var.sealed_secrets["enabled"] * var.sealed_secrets["default_network_policy"]}" + metadata { + name = "${var.sealed_secrets["namespace"]}-default-deny" + namespace = "${var.sealed_secrets["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "sealed_secrets_allow_namespace" { + count = "${var.sealed_secrets["enabled"] * var.sealed_secrets["default_network_policy"]}" + metadata { + name = "${var.sealed_secrets["namespace"]}-allow-namespace" + namespace = "${var.sealed_secrets["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.sealed_secrets["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +} diff --git a/terraform/modules/eks-addons/virtual-kubelet.tf b/terraform/modules/eks-addons/virtual-kubelet.tf index 85cabde3..0d1b11fb 100644 --- a/terraform/modules/eks-addons/virtual-kubelet.tf +++ b/terraform/modules/eks-addons/virtual-kubelet.tf @@ -10,6 +10,10 @@ resource "kubernetes_namespace" "virtual-kubelet" { "iam.amazonaws.com/permitted" = ".*" } + labels { + name = "${var.virtual_kubelet["namespace"]}" + } + name = "${var.virtual_kubelet["namespace"]}" } } @@ -159,3 +163,44 @@ resource "kubernetes_deployment" "virtual-kubelet" { } } } + +resource "kubernetes_network_policy" "virtual_kubelet_default_deny" { + count = "${var.virtual_kubelet["enabled"] * var.virtual_kubelet["default_network_policy"]}" + metadata { + name = "${var.virtual_kubelet["namespace"]}-default-deny" + namespace = "${var.virtual_kubelet["namespace"]}" + } + + spec { + pod_selector {} + policy_types = ["Ingress"] + } +} + +resource "kubernetes_network_policy" "virtual_kubelet_allow_namespace" { + count = "${var.virtual_kubelet["enabled"] * var.virtual_kubelet["default_network_policy"]}" + metadata { + name = "${var.virtual_kubelet["namespace"]}-allow-namespace" + namespace = "${var.virtual_kubelet["namespace"]}" + } + + spec { + pod_selector {} + + ingress = [ + { + from = [ + { + namespace_selector { + match_labels = { + name = "${var.virtual_kubelet["namespace"]}" + } + } + } + ] + } + ] + + policy_types = ["Ingress"] + } +}