Remove default namespace from being selected by fargate, also adds se…

…cgrouppolicies for essentials namespace along with kube-system namespace (#68) * Remove default namespace from being selected by fargate * Add sec grp policies to namespaces * Shift the secgrouppolicy creation to fargate profile submodule * Add namespaces list to be added secgroupolicy * Add namespace default value * Dont add to any namespace if not indicated --------- Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
SPHTech-Platform · Jun 23, 2023 · b984bff · b984bff
1 parent ca8ddad
commit b984bff
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -312,6 +312,7 @@ module "karpenter" {
 | <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security Group ID of the master nodes |
 | <a name="output_ebs_kms_key_arn"></a> [ebs\_kms\_key\_arn](#output\_ebs\_kms\_key\_arn) | KMS Key ARN used for EBS encryption |
 | <a name="output_ebs_kms_key_id"></a> [ebs\_kms\_key\_id](#output\_ebs\_kms\_key\_id) | KMS Key ID used for EBS encryption |
+| <a name="output_fargate_namespaces_for_security_group"></a> [fargate\_namespaces\_for\_security\_group](#output\_fargate\_namespaces\_for\_security\_group) | value for fargate\_namespaces\_for\_security\_group |
 | <a name="output_oidc_provider_arn"></a> [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | OIDC Provider ARN for IRSA |
 | <a name="output_worker_iam_role_arn"></a> [worker\_iam\_role\_arn](#output\_worker\_iam\_role\_arn) | IAM Role ARN used by worker nodes |
 | <a name="output_worker_iam_role_name"></a> [worker\_iam\_role\_name](#output\_worker\_iam\_role\_name) | IAM Role Name used by worker nodes |

diff --git a/fargate_profile.tf b/fargate_profile.tf
@@ -1,29 +1,18 @@
 locals {
 
+  essentials_namespaces  = ["opentelemetry-operator-system", "cert-manager", "brupop-bottlerocket-aws"] # to add more if the essentials module deploys in any new namespaces
+  kube_system_namespaces = ["kube-system"]
+
+  fargate_namespaces = concat(local.essentials_namespaces, local.kube_system_namespaces)
+
   default_fargate_profiles = merge(
     {
-      default = {
-        name = "default"
-        selectors = [
-          {
-            namespace = "default"
-          },
-        ]
-        subnet_ids = var.subnet_ids
-      }
       essentials = {
         subnet_ids = var.subnet_ids
         selectors = [
-          {
-            namespace = "opentelemetry-operator-system"
-          },
-          {
-            namespace = "cert-manager"
-          },
-          {
-            namespace = "brupop-bottlerocket-aws"
-          },
-          # to add more if the essentials module deploys in any new namespaces
+          for ns_value in local.essentials_namespaces : {
+            namespace = ns_value
+          }
         ]
       }
     },
@@ -55,5 +44,8 @@ module "fargate_profiles" {
   create_aws_observability_ns     = var.create_aws_observability_ns
   create_fargate_logger_configmap = var.create_fargate_logger_configmap
 
+  eks_worker_security_group_id          = module.eks.node_security_group_id
+  fargate_namespaces_for_security_group = local.fargate_namespaces
+
   tags = var.tags
 }
diff --git a/modules/eks_managed_nodes/REDME.md b/modules/eks_managed_nodes/REDME.md
diff --git a/modules/fargate_profile/README.md b/modules/fargate_profile/README.md
@@ -80,6 +80,7 @@ module "fargate_profile" {
 | Name | Type |
 |------|------|
 | [kubernetes_config_map_v1.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
+| [kubernetes_manifest.sg](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_namespace_v1.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
@@ -91,6 +92,8 @@ module "fargate_profile" {
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS Cluster name | `string` | n/a | yes |
 | <a name="input_create_aws_observability_ns"></a> [create\_aws\_observability\_ns](#input\_create\_aws\_observability\_ns) | value to determine if aws-observability namespace is created | `bool` | `true` | no |
 | <a name="input_create_fargate_logger_configmap"></a> [create\_fargate\_logger\_configmap](#input\_create\_fargate\_logger\_configmap) | value to determine if create\_fargate\_logger\_configmap is created | `bool` | `true` | no |
+| <a name="input_eks_worker_security_group_id"></a> [eks\_worker\_security\_group\_id](#input\_eks\_worker\_security\_group\_id) | Security Group ID of the worker nodes | `string` | n/a | yes |
+| <a name="input_fargate_namespaces_for_security_group"></a> [fargate\_namespaces\_for\_security\_group](#input\_fargate\_namespaces\_for\_security\_group) | List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes | `list(string)` | `[]` | no |
 | <a name="input_fargate_profile_defaults"></a> [fargate\_profile\_defaults](#input\_fargate\_profile\_defaults) | Map of Fargate Profile default configurations | `any` | `{}` | no |
 | <a name="input_fargate_profiles"></a> [fargate\_profiles](#input\_fargate\_profiles) | Map of maps of `fargate_profiles` to create | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags for all resources | `map(string)` | `{}` | no |

diff --git a/modules/fargate_profile/main.tf b/modules/fargate_profile/main.tf
@@ -22,3 +22,28 @@ module "fargate_profile" {
   iam_role_tags                 = lookup(each.value, "iam_role_tags", {})
   tags                          = merge(var.tags, lookup(each.value, "tags", {}))
 }
+
+
+
+resource "kubernetes_manifest" "sg" {
+
+  for_each = var.fargate_namespaces_for_security_group
+
+  manifest = {
+    apiVersion = "vpcresources.k8s.aws/v1beta1"
+    kind       = "SecurityGroupPolicy"
+    metadata = {
+      name      = "fargate-node-${each.value}-sg"
+      namespace = each.value
+    }
+    spec = {
+      podSelector = {
+        matchLabels = {}
+      }
+      securityGroups = {
+        groupIds = [var.eks_worker_security_group_id]
+      }
+    }
+  }
+
+}
diff --git a/modules/fargate_profile/variables.tf b/modules/fargate_profile/variables.tf
@@ -50,3 +50,17 @@ variable "create_fargate_logger_configmap" {
   type        = bool
   default     = true
 }
+
+##################################
+### Fargate Selector Namespaces ##
+##################################
+variable "fargate_namespaces_for_security_group" {
+  description = "List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes"
+  type        = list(string)
+  default     = []
+}
+
+variable "eks_worker_security_group_id" {
+  description = "Security Group ID of the worker nodes"
+  type        = string
+}
diff --git a/outputs.tf b/outputs.tf
@@ -77,3 +77,8 @@ output "cluster_version" {
   description = "Version of the EKS Cluster"
   value       = module.eks.cluster_version
 }
+
+output "fargate_namespaces_for_security_group" {
+  description = "value for fargate_namespaces_for_security_group"
+  value       = local.fargate_namespaces
+}