From be29f5203988ae042448885d3978eb88c099cb04 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sun, 7 Apr 2019 02:29:07 -0700 Subject: [PATCH] Add enable_aggregation option (defaults to false) * Add an `enable_aggregation` variable to enable the kube-apiserver aggregation layer for adding extension apiservers to clusters * Aggregation is **disabled** by default. Typhoon recommends you not enable aggregation. Consider whether less invasive ways to achieve your goals are possible and whether those goals are well-founded * Enabling aggregation and extension apiservers increases the attack surface of a cluster and makes extensions a part of the control plane. Admins must scrutinize and trust any extension apiserver used. * Passing a v1.14 CNCF conformance test requires aggregation be enabled. Having an option for aggregation keeps compliance, but retains the stricter security posture on default clusters --- CHANGES.md | 3 +++ aws/container-linux/kubernetes/bootkube.tf | 3 ++- aws/container-linux/kubernetes/variables.tf | 6 ++++++ aws/fedora-atomic/kubernetes/bootkube.tf | 2 +- azure/container-linux/kubernetes/bootkube.tf | 3 ++- azure/container-linux/kubernetes/variables.tf | 6 ++++++ bare-metal/container-linux/kubernetes/bootkube.tf | 3 ++- bare-metal/container-linux/kubernetes/variables.tf | 6 ++++++ bare-metal/fedora-atomic/kubernetes/bootkube.tf | 2 +- .../container-linux/kubernetes/bootkube.tf | 3 ++- digital-ocean/container-linux/kubernetes/network.tf | 13 ++++++------- digital-ocean/container-linux/kubernetes/outputs.tf | 5 ++--- .../container-linux/kubernetes/variables.tf | 6 ++++++ digital-ocean/fedora-atomic/kubernetes/bootkube.tf | 2 +- google-cloud/container-linux/kubernetes/bootkube.tf | 3 ++- .../container-linux/kubernetes/variables.tf | 6 ++++++ google-cloud/fedora-atomic/kubernetes/bootkube.tf | 2 +- 17 files changed, 55 insertions(+), 19 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index a2b85ff3e..ddc9d7855 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,6 +6,9 @@ Notable changes between versions. * Kubernetes [v1.14.0](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md#v1140) * Update Calico from v3.6.0 to v3.6.1 +* Add `enable_aggregation` option for CNCF conformance + * Aggregation is disabled by default to retain our security stance + * Aggregation increases the security surface area. Extensions become part of the control plane and must be scrutinized carefully and trusted. Favor leaving aggregation disabled. #### AWS diff --git a/aws/container-linux/kubernetes/bootkube.tf b/aws/container-linux/kubernetes/bootkube.tf index c40108978..be6212077 100644 --- a/aws/container-linux/kubernetes/bootkube.tf +++ b/aws/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] @@ -12,4 +12,5 @@ module "bootkube" { service_cidr = "${var.service_cidr}" cluster_domain_suffix = "${var.cluster_domain_suffix}" enable_reporting = "${var.enable_reporting}" + enable_aggregation = "${var.enable_aggregation}" } diff --git a/aws/container-linux/kubernetes/variables.tf b/aws/container-linux/kubernetes/variables.tf index 10e5dce3f..33be7faac 100644 --- a/aws/container-linux/kubernetes/variables.tf +++ b/aws/container-linux/kubernetes/variables.tf @@ -146,3 +146,9 @@ variable "enable_reporting" { description = "Enable usage or analytics reporting to upstreams (Calico)" default = "false" } + +variable "enable_aggregation" { + description = "Enable the Kubernetes Aggregation Layer (defaults to false)" + type = "string" + default = "false" +} diff --git a/aws/fedora-atomic/kubernetes/bootkube.tf b/aws/fedora-atomic/kubernetes/bootkube.tf index cfa874170..054e4b09e 100644 --- a/aws/fedora-atomic/kubernetes/bootkube.tf +++ b/aws/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/azure/container-linux/kubernetes/bootkube.tf b/azure/container-linux/kubernetes/bootkube.tf index 7b0bd0627..a1b1732ec 100644 --- a/azure/container-linux/kubernetes/bootkube.tf +++ b/azure/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] @@ -11,4 +11,5 @@ module "bootkube" { service_cidr = "${var.service_cidr}" cluster_domain_suffix = "${var.cluster_domain_suffix}" enable_reporting = "${var.enable_reporting}" + enable_aggregation = "${var.enable_aggregation}" } diff --git a/azure/container-linux/kubernetes/variables.tf b/azure/container-linux/kubernetes/variables.tf index d55e4bc8d..b5e378dc6 100644 --- a/azure/container-linux/kubernetes/variables.tf +++ b/azure/container-linux/kubernetes/variables.tf @@ -121,3 +121,9 @@ variable "enable_reporting" { description = "Enable usage or analytics reporting to upstreams (Calico)" default = "false" } + +variable "enable_aggregation" { + description = "Enable the Kubernetes Aggregation Layer (defaults to false)" + type = "string" + default = "false" +} diff --git a/bare-metal/container-linux/kubernetes/bootkube.tf b/bare-metal/container-linux/kubernetes/bootkube.tf index 3e834398f..75f923453 100644 --- a/bare-metal/container-linux/kubernetes/bootkube.tf +++ b/bare-metal/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] @@ -13,4 +13,5 @@ module "bootkube" { service_cidr = "${var.service_cidr}" cluster_domain_suffix = "${var.cluster_domain_suffix}" enable_reporting = "${var.enable_reporting}" + enable_aggregation = "${var.enable_aggregation}" } diff --git a/bare-metal/container-linux/kubernetes/variables.tf b/bare-metal/container-linux/kubernetes/variables.tf index bfba58dba..788ecd4aa 100644 --- a/bare-metal/container-linux/kubernetes/variables.tf +++ b/bare-metal/container-linux/kubernetes/variables.tf @@ -153,3 +153,9 @@ variable "enable_reporting" { description = "Enable usage or analytics reporting to upstreams (Calico)" default = "false" } + +variable "enable_aggregation" { + description = "Enable the Kubernetes Aggregation Layer (defaults to false)" + type = "string" + default = "false" +} diff --git a/bare-metal/fedora-atomic/kubernetes/bootkube.tf b/bare-metal/fedora-atomic/kubernetes/bootkube.tf index a6fbb57cf..5cb852fb5 100644 --- a/bare-metal/fedora-atomic/kubernetes/bootkube.tf +++ b/bare-metal/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/digital-ocean/container-linux/kubernetes/bootkube.tf b/digital-ocean/container-linux/kubernetes/bootkube.tf index cf67d6724..878af4f16 100644 --- a/digital-ocean/container-linux/kubernetes/bootkube.tf +++ b/digital-ocean/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] @@ -12,4 +12,5 @@ module "bootkube" { service_cidr = "${var.service_cidr}" cluster_domain_suffix = "${var.cluster_domain_suffix}" enable_reporting = "${var.enable_reporting}" + enable_aggregation = "${var.enable_aggregation}" } diff --git a/digital-ocean/container-linux/kubernetes/network.tf b/digital-ocean/container-linux/kubernetes/network.tf index 27a4e0c28..52cf7fb12 100644 --- a/digital-ocean/container-linux/kubernetes/network.tf +++ b/digital-ocean/container-linux/kubernetes/network.tf @@ -55,13 +55,13 @@ resource "digitalocean_firewall" "controllers" { # etcd, kube-apiserver, kubelet inbound_rule = [ { - protocol = "tcp" - port_range = "2379-2380" + protocol = "tcp" + port_range = "2379-2380" source_tags = ["${digitalocean_tag.controllers.name}"] }, { - protocol = "tcp" - port_range = "2381" + protocol = "tcp" + port_range = "2381" source_tags = ["${digitalocean_tag.workers.name}"] }, { @@ -90,10 +90,9 @@ resource "digitalocean_firewall" "workers" { source_addresses = ["0.0.0.0/0", "::/0"] }, { - protocol = "tcp" - port_range = "10254" + protocol = "tcp" + port_range = "10254" source_addresses = ["0.0.0.0/0"] }, ] } - diff --git a/digital-ocean/container-linux/kubernetes/outputs.tf b/digital-ocean/container-linux/kubernetes/outputs.tf index 7ca6b81cf..15172d7f5 100644 --- a/digital-ocean/container-linux/kubernetes/outputs.tf +++ b/digital-ocean/container-linux/kubernetes/outputs.tf @@ -31,11 +31,10 @@ output "workers_ipv6" { output "controller_tag" { description = "Tag applied to controller droplets" - value = "${digitalocean_tag.controllers.name}" + value = "${digitalocean_tag.controllers.name}" } output "worker_tag" { description = "Tag applied to worker droplets" - value = "${digitalocean_tag.workers.name}" + value = "${digitalocean_tag.workers.name}" } - diff --git a/digital-ocean/container-linux/kubernetes/variables.tf b/digital-ocean/container-linux/kubernetes/variables.tf index 535797e64..9606fed08 100644 --- a/digital-ocean/container-linux/kubernetes/variables.tf +++ b/digital-ocean/container-linux/kubernetes/variables.tf @@ -98,3 +98,9 @@ variable "enable_reporting" { description = "Enable usage or analytics reporting to upstreams (Calico)" default = "false" } + +variable "enable_aggregation" { + description = "Enable the Kubernetes Aggregation Layer (defaults to false)" + type = "string" + default = "false" +} diff --git a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf index 41dd57bbc..11e59d4d1 100644 --- a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf +++ b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/container-linux/kubernetes/bootkube.tf b/google-cloud/container-linux/kubernetes/bootkube.tf index eeca64d6b..446362c6c 100644 --- a/google-cloud/container-linux/kubernetes/bootkube.tf +++ b/google-cloud/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] @@ -12,6 +12,7 @@ module "bootkube" { service_cidr = "${var.service_cidr}" cluster_domain_suffix = "${var.cluster_domain_suffix}" enable_reporting = "${var.enable_reporting}" + enable_aggregation = "${var.enable_aggregation}" // temporary apiserver_port = 443 diff --git a/google-cloud/container-linux/kubernetes/variables.tf b/google-cloud/container-linux/kubernetes/variables.tf index 61d1cdf46..971dc3140 100644 --- a/google-cloud/container-linux/kubernetes/variables.tf +++ b/google-cloud/container-linux/kubernetes/variables.tf @@ -121,3 +121,9 @@ variable "enable_reporting" { description = "Enable usage or analytics reporting to upstreams (Calico)" default = "false" } + +variable "enable_aggregation" { + description = "Enable the Kubernetes Aggregation Layer (defaults to false)" + type = "string" + default = "false" +} diff --git a/google-cloud/fedora-atomic/kubernetes/bootkube.tf b/google-cloud/fedora-atomic/kubernetes/bootkube.tf index 851eeedcb..a2ca4d8a9 100644 --- a/google-cloud/fedora-atomic/kubernetes/bootkube.tf +++ b/google-cloud/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]