-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirewall.tf
77 lines (69 loc) · 1.92 KB
/
firewall.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# https://kubernetes.io/docs/reference/networking/ports-and-protocols/
resource "digitalocean_firewall" "kubernetes_controller_firewall" {
name = "kubernetes-controller-firewall"
droplet_ids = [for node in digitalocean_droplet.controller_node : node.id]
# Kubernetes API server
inbound_rule {
protocol = "tcp"
port_range = "6443"
source_addresses = ["0.0.0.0/0", "::/0"]
}
# etcd server client API
inbound_rule {
protocol = "tcp"
port_range = "2379-2380"
source_addresses = local.all_ips
}
# Kubelet API, kube-scheduler, kube-controller-manager
inbound_rule {
protocol = "tcp"
port_range = "10250-10252"
source_addresses = local.all_ips
}
# allow ssh
inbound_rule {
protocol = "tcp"
port_range = "22"
source_addresses = ["0.0.0.0/0", "::/0"]
}
# Allow all outbound traffic
outbound_rule {
protocol = "tcp"
port_range = "all"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
}
resource "digitalocean_firewall" "kubernetes_worker_firewall" {
name = "kubernetes-worker-firewall"
droplet_ids = [for node in digitalocean_droplet.worker_node : node.id]
# Kubernetes API server
inbound_rule {
protocol = "tcp"
port_range = "6443"
source_addresses = ["0.0.0.0/0", "::/0"]
}
# Kubelet API
inbound_rule {
protocol = "tcp"
port_range = "10250"
source_addresses = local.all_ips
}
# NodePort Services
inbound_rule {
protocol = "tcp"
port_range = "30000-32767"
source_addresses = ["0.0.0.0/0", "::/0"]
}
# allow ssh
inbound_rule {
protocol = "tcp"
port_range = "22"
source_addresses = ["0.0.0.0/0", "::/0"]
}
# Allow all outbound traffic
outbound_rule {
protocol = "tcp"
port_range = "all"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
}