Merge pull request #1 from evry-ace/add/dns_visibility_policy

Add DNS visibility Cilium Network Policy
evry-ace · Aug 27, 2021 · 727e1a3 · 727e1a3
2 parents 4ff080b + b711705
commit 727e1a3
Show file tree

Hide file tree

Showing 5 changed files with 157 additions and 1 deletion.
diff --git a/.markdownlint.json b/.markdownlint.json
@@ -0,0 +1,6 @@
+{
+  "MD013": false,
+  "MD033": false,
+  "MD034": false,
+  "MD036": false
+}
diff --git a/README.md b/README.md
@@ -1,2 +1,56 @@
-# tf-cilium-network-policies
+# Cilium network policies module
+
 A Terraform module for implementing Cilium Network Policies
+
+## Documentation
+
+### Technical description of module
+
+In order to use this module, you need to use the Terraform *kubernetes* provider in a version higher than, or equal to, version `2.4.1`. In addition, Terraform must be of version `0.13` or above.
+
+An additional requirement is that the **Beta** feature `kubernetes_manifest` is enabled for the *kubernetes* provider:
+
+```terraform
+provider "kubernetes" {
+    ....
+
+    experiments {
+        manifest_resource = true
+    }
+}
+```
+
+To upgrade from the *kubernetes_alpha* provider, to using the **Beta** channel of the *kubernetes* provider, you can follow the instructions as provided here:
+https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/guides/alpha-manifest-migration-guide
+
+## Module idiosyncrasies
+
+*None*
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | ~> 0.13 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | ~> 2.4.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [kubernetes_manifest.dns_visibility](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_default_cilium_network_policies_enabled"></a> [default\_cilium\_network\_policies\_enabled](#input\_default\_cilium\_network\_policies\_enabled) | Define whether or not the Cilium network policies should be created. | `bool` | `false` | no |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | Name of the Kubernetes namespace to install the Cilium Network Policies in | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
diff --git a/dns_visibility.tf b/dns_visibility.tf
@@ -0,0 +1,73 @@
+resource "kubernetes_manifest" "dns_visibility" {
+  count = var.default_cilium_network_policies_enabled ? 1 : 0
+
+  manifest = {
+    apiVersion = "cilium.io/v2"
+    kind       = "CiliumNetworkPolicy"
+
+    metadata = {
+      name      = "dns-visibility-policy"
+      namespace = var.namespace
+    }
+
+    spec = {
+      egress = [
+        {
+          toEntities = [
+            "cluster",
+            "world",
+          ]
+        },
+        {
+          toEndpoints = [
+            {
+              matchLabels = {
+                "io.kubernetes.pod.namespace" = "kube-system"
+                "k8s-app"                     = "kube-dns"
+              }
+            },
+          ]
+          toPorts = [
+            {
+              ports = [
+                {
+                  port     = "53"
+                  protocol = "ANY"
+                },
+              ]
+              rules = {
+                dns = [
+                  {
+                    matchPattern = "*"
+                  },
+                ]
+              }
+            },
+          ]
+        },
+        {
+          toFQDNs = [
+            {
+              matchPattern = "*"
+            },
+          ]
+        },
+      ]
+      endpointSelector = {
+        matchLabels = {}
+      }
+      ingress = [
+        {
+          fromEntities = [
+            "world",
+            "cluster",
+          ]
+        },
+        {
+          fromEndpoints = []
+        },
+      ]
+    }
+  }
+}
+
diff --git a/providers.tf b/providers.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.4.1"
+    }
+  }
+
+  required_version = "~> 0.13"
+}
+
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,12 @@
+# Default variables
+variable "default_cilium_network_policies_enabled" {
+  description = "Define whether or not the Cilium Network Policies should be created."
+  type        = bool
+  default     = false
+}
+
+variable "namespace" {
+  description = "The Kubernetes namespace where the resource(s) will be created"
+  type        = string
+}
+