Skip to content

Commit

Permalink
feat: Introduce add_master_webhook_firewall_rules flag to add webhooks (
Browse files Browse the repository at this point in the history 
#882)

- Flag controls exclusive creation of a firewall rule for ports defined in firewall_inbound_ports
- The existing flag add_cluster_firewall_rules is kept on the firewall rule resource for backwards compatibility
  • Loading branch information
@fstr
fstr authored Apr 29, 2021
1 parent 110adb6 commit 8a5dcb8
Show file tree
Hide file tree
Showing 23 changed files with 78 additions and 23 deletions.
3 changes: 2 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
Expand All @@ -141,7 +142,7 @@ Then perform the following commands on the root folder:
| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
Expand Down
2 changes: 1 addition & 1 deletion autogen/main/firewall.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ resource "google_compute_firewall" "intra_egress" {
https://github.com/kubernetes/kubernetes/issues/79739
*****************************************/
resource "google_compute_firewall" "master_webhooks" {
count = var.add_cluster_firewall_rules ? 1 : 0
count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0
name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks"
description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks"
project = local.network_project_id
Expand Down
8 changes: 7 additions & 1 deletion autogen/main/variables.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -569,6 +569,12 @@ variable "add_cluster_firewall_rules" {
default = false
}

variable "add_master_webhook_firewall_rules" {
type = bool
description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`"
default = false
}

variable "firewall_priority" {
type = number
description = "Priority rule for firewall rules"
Expand All @@ -577,7 +583,7 @@ variable "firewall_priority" {

variable "firewall_inbound_ports" {
type = list(string)
description = "List of TCP ports for admission/webhook controllers"
description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied."
default = ["8443", "9443", "15017"]
}

Expand Down
2 changes: 1 addition & 1 deletion firewall.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ resource "google_compute_firewall" "intra_egress" {
https://github.com/kubernetes/kubernetes/issues/79739
*****************************************/
resource "google_compute_firewall" "master_webhooks" {
count = var.add_cluster_firewall_rules ? 1 : 0
count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0
name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks"
description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks"
project = local.network_project_id
Expand Down
3 changes: 2 additions & 1 deletion modules/beta-private-cluster-update-variant/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
Expand Down Expand Up @@ -187,7 +188,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-private-cluster-update-variant/firewall.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ resource "google_compute_firewall" "intra_egress" {
https://github.com/kubernetes/kubernetes/issues/79739
*****************************************/
resource "google_compute_firewall" "master_webhooks" {
count = var.add_cluster_firewall_rules ? 1 : 0
count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0
name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks"
description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks"
project = local.network_project_id
Expand Down
8 changes: 7 additions & 1 deletion modules/beta-private-cluster-update-variant/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -549,6 +549,12 @@ variable "add_cluster_firewall_rules" {
default = false
}

variable "add_master_webhook_firewall_rules" {
type = bool
description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`"
default = false
}

variable "firewall_priority" {
type = number
description = "Priority rule for firewall rules"
Expand All @@ -557,7 +563,7 @@ variable "firewall_priority" {

variable "firewall_inbound_ports" {
type = list(string)
description = "List of TCP ports for admission/webhook controllers"
description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied."
default = ["8443", "9443", "15017"]
}

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-private-cluster/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
Expand Down Expand Up @@ -165,7 +166,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-private-cluster/firewall.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ resource "google_compute_firewall" "intra_egress" {
https://github.com/kubernetes/kubernetes/issues/79739
*****************************************/
resource "google_compute_firewall" "master_webhooks" {
count = var.add_cluster_firewall_rules ? 1 : 0
count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0
name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks"
description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks"
project = local.network_project_id
Expand Down
8 changes: 7 additions & 1 deletion modules/beta-private-cluster/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -549,6 +549,12 @@ variable "add_cluster_firewall_rules" {
default = false
}

variable "add_master_webhook_firewall_rules" {
type = bool
description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`"
default = false
}

variable "firewall_priority" {
type = number
description = "Priority rule for firewall rules"
Expand All @@ -557,7 +563,7 @@ variable "firewall_priority" {

variable "firewall_inbound_ports" {
type = list(string)
description = "List of TCP ports for admission/webhook controllers"
description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied."
default = ["8443", "9443", "15017"]
}

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-public-cluster-update-variant/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
Expand Down Expand Up @@ -178,7 +179,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-public-cluster-update-variant/firewall.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ resource "google_compute_firewall" "intra_egress" {
https://github.com/kubernetes/kubernetes/issues/79739
*****************************************/
resource "google_compute_firewall" "master_webhooks" {
count = var.add_cluster_firewall_rules ? 1 : 0
count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0
name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks"
description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks"
project = local.network_project_id
Expand Down
8 changes: 7 additions & 1 deletion modules/beta-public-cluster-update-variant/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -518,6 +518,12 @@ variable "add_cluster_firewall_rules" {
default = false
}

variable "add_master_webhook_firewall_rules" {
type = bool
description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`"
default = false
}

variable "firewall_priority" {
type = number
description = "Priority rule for firewall rules"
Expand All @@ -526,7 +532,7 @@ variable "firewall_priority" {

variable "firewall_inbound_ports" {
type = list(string)
description = "List of TCP ports for admission/webhook controllers"
description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied."
default = ["8443", "9443", "15017"]
}

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-public-cluster/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,7 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
Expand Down Expand Up @@ -156,7 +157,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-public-cluster/firewall.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ resource "google_compute_firewall" "intra_egress" {
https://github.com/kubernetes/kubernetes/issues/79739
*****************************************/
resource "google_compute_firewall" "master_webhooks" {
count = var.add_cluster_firewall_rules ? 1 : 0
count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0
name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks"
description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks"
project = local.network_project_id
Expand Down
8 changes: 7 additions & 1 deletion modules/beta-public-cluster/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -518,6 +518,12 @@ variable "add_cluster_firewall_rules" {
default = false
}

variable "add_master_webhook_firewall_rules" {
type = bool
description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`"
default = false
}

variable "firewall_priority" {
type = number
description = "Priority rule for firewall rules"
Expand All @@ -526,7 +532,7 @@ variable "firewall_priority" {

variable "firewall_inbound_ports" {
type = list(string)
description = "List of TCP ports for admission/webhook controllers"
description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied."
default = ["8443", "9443", "15017"]
}

Expand Down
Loading

0 comments on commit 8a5dcb8

Please sign in to comment.