Merge pull request #896 from M4t7e/firewall-cleanup

Cleanup of Firewall Rules
kube-hetzner · Jul 26, 2023 · af7a986 · af7a986
2 parents c6d3445 + 7399d17
commit af7a986
Show file tree

Hide file tree

Showing 4 changed files with 137 additions and 133 deletions.
diff --git a/README.md b/README.md
@@ -143,7 +143,23 @@ _Once you start with Terraform, it's best not to change the state of the project
 
 When your brand-new cluster is up and running, the sky is your limit! 🎉
 
-You can immediately kubectl into it (using the `clustername_kubeconfig.yaml` saved to the project's directory after the installation). By doing `kubectl --kubeconfig clustername_kubeconfig.yaml`, but for more convenience, either create a symlink from `~/.kube/config` to `clustername_kubeconfig.yaml` or add an export statement to your `~/.bashrc` or `~/.zshrc` file, as follows (you can get the path of `clustername_kubeconfig.yaml` by running `pwd`):
+You can view all kinds of details about the cluster by running `terraform output kubeconfig` or `terraform output -json kubeconfig | jq`.
+
+To manage your cluster with `kubectl`, you can either use SSH to connect to a control plane node or connect to the Kube API directly.
+
+### Connect via SSH
+
+You can connect to one of the control plane nodes via SSH with `ssh root@<cp-ip-address>`. Now you are able to use `kubectl` to manage your workloads right away. By default, the firewall allows SSH connections from everywhere. You can change that by configuring the `firewall_ssh_source` in your kube.tf file.
+
+### Connect via Kube API
+
+Make sure you can connect to the Kube API from a trusted network by configuring `firewall_kube_api_source` in your kube.tf file like that:
+```hcl
+firewall_kube_api_source = ["1.2.3.4/32"]
+```
+**Info:** Opening the Kube API to the public (`["0.0.0.0/0", "::/0"]`) is not recommended!
+
+If you have access to the Kube API, you can immediately kubectl into it (using the `clustername_kubeconfig.yaml` saved to the project's directory after the installation). By doing `kubectl --kubeconfig clustername_kubeconfig.yaml`, but for more convenience, either create a symlink from `~/.kube/config` to `clustername_kubeconfig.yaml` or add an export statement to your `~/.bashrc` or `~/.zshrc` file, as follows (you can get the path of `clustername_kubeconfig.yaml` by running `pwd`):
 
 ```sh
 export KUBECONFIG=/<path-to>/clustername_kubeconfig.yaml
@@ -153,7 +169,6 @@ If chose to turn `create_kubeconfig` to false in your kube.tf (good practice), y
 
 You can also use it in an automated flow, in which case `create_kubeconfig` should be set to false, and you can use the `kubeconfig` output variable to get the kubeconfig file in a structured data format.
 
-_You can view all kinds of details about the cluster by running `terraform output kubeconfig` or `terraform output -json kubeconfig | jq`._
 
 ## CNI
 

diff --git a/kube.tf.example b/kube.tf.example
@@ -482,6 +482,14 @@ module "kube-hetzner" {
   # If you want to allow all outbound traffic you can set this to "false". Default is "true".
   # restrict_outbound_traffic = false
 
+  # Allow access to the Kube API from the specified networks. Default: ["0.0.0.0/0", "::/0"]
+  # Allowed values: null (disable Kube API rule entirely) or a list of allowed networks with CIDR notation
+  firewall_kube_api_source = null
+
+  # Allow SSH access from the specified networks. Default: ["0.0.0.0/0", "::/0"]
+  # Allowed values: null (disable SSH rule entirely) or a list of allowed networks with CIDR notation
+  # firewall_ssh_source = ["1.2.3.4/32", "1234::1/128"]
+
   # Adding extra firewall rules, like opening a port
   # More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall
   # extra_firewall_rules = [

diff --git a/locals.tf b/locals.tf
@@ -136,137 +136,106 @@ locals {
   default_control_plane_taints = concat([], local.allow_scheduling_on_control_plane ? [] : ["node-role.kubernetes.io/control-plane:NoSchedule"])
   default_agent_taints         = concat([], var.cni_plugin == "cilium" ? ["node.cilium.io/agent-not-ready:NoExecute"] : [])
 
-  # The following IPs are important to be whitelisted because they communicate with Hetzner services and enable the CCM and CSI to work properly.
-  # Source https://github.com/hetznercloud/csi-driver/issues/204#issuecomment-848625566
-  hetzner_metadata_service_ipv4 = "169.254.169.254/32"
-  hetzner_cloud_api_ipv4        = "213.239.246.21/32"
-
-  whitelisted_ips = [
-    var.network_ipv4_cidr,
-    local.hetzner_metadata_service_ipv4,
-    local.hetzner_cloud_api_ipv4,
-    "127.0.0.1/32",
-  ]
-
-  base_firewall_rules = concat([
-    # Allowing internal cluster traffic and Hetzner metadata service and cloud API IPs
-    {
-      description = "Allow Internal Cluster TCP Traffic"
-      direction   = "in"
-      protocol    = "tcp"
-      port        = "any"
-      source_ips  = local.whitelisted_ips
-    },
-    {
-      description = "Allow Internal Cluster UDP Traffic"
-      direction   = "in"
-      protocol    = "udp"
-      port        = "any"
-      source_ips  = local.whitelisted_ips
-    },
-
-    # Allow all traffic to the kube api server
-    {
-      description = "Allow Incoming Requests to Kube API Server"
-      direction   = "in"
-      protocol    = "tcp"
-      port        = "6443"
-      source_ips  = ["0.0.0.0/0", "::/0"]
-    },
-
-    # Allow all traffic to the ssh port
-    {
-      description = "Allow Incoming SSH Traffic"
-      direction   = "in"
-      protocol    = "tcp"
-      port        = var.ssh_port
-      source_ips  = ["0.0.0.0/0", "::/0"]
-    },
-    ], !var.restrict_outbound_traffic ? [] : [
-    # Allow basic out traffic
-    # ICMP to ping outside services
-    {
-      description     = "Allow Outbound ICMP Ping Requests"
-      direction       = "out"
-      protocol        = "icmp"
-      port            = ""
-      destination_ips = ["0.0.0.0/0", "::/0"]
-    },
-
-    # DNS
-    {
-      description     = "Allow Outbound TCP DNS Requests"
-      direction       = "out"
-      protocol        = "tcp"
-      port            = "53"
-      destination_ips = ["0.0.0.0/0", "::/0"]
-    },
-    {
-      description     = "Allow Outbound UDP DNS Requests"
-      direction       = "out"
-      protocol        = "udp"
-      port            = "53"
-      destination_ips = ["0.0.0.0/0", "::/0"]
-    },
-
-    # HTTP(s)
-    {
-      description     = "Allow Outbound HTTP Requests"
-      direction       = "out"
-      protocol        = "tcp"
-      port            = "80"
-      destination_ips = ["0.0.0.0/0", "::/0"]
-    },
-    {
-      description     = "Allow Outbound HTTPS Requests"
-      direction       = "out"
-      protocol        = "tcp"
-      port            = "443"
-      destination_ips = ["0.0.0.0/0", "::/0"]
-    },
-
-    #NTP
-    {
-      description     = "Allow Outbound UDP NTP Requests"
-      direction       = "out"
-      protocol        = "udp"
-      port            = "123"
-      destination_ips = ["0.0.0.0/0", "::/0"]
-    }
-    ], !local.using_klipper_lb ? [] : [
-    # Allow incoming web traffic for single node clusters, because we are using k3s servicelb there,
-    # not an external load-balancer.
-    {
-      description = "Allow Incoming HTTP Connections"
-      direction   = "in"
-      protocol    = "tcp"
-      port        = "80"
-      source_ips  = ["0.0.0.0/0", "::/0"]
-    },
-    {
-      description = "Allow Incoming HTTPS Connections"
-      direction   = "in"
-      protocol    = "tcp"
-      port        = "443"
-      source_ips  = ["0.0.0.0/0", "::/0"]
-    }
-    ], var.block_icmp_ping_in ? [] : [
-    {
-      description = "Allow Incoming ICMP Ping Requests"
-      direction   = "in"
-      protocol    = "icmp"
-      port        = ""
-      source_ips  = ["0.0.0.0/0", "::/0"]
-    }
-    ], var.cni_plugin != "cilium" ? [] : [
-    {
-      description = "Allow Incoming Requests to Hubble Server & Hubble Relay (Cilium)"
-      direction   = "in"
-      protocol    = "tcp"
-      port        = "4244-4245"
-      source_ips  = ["0.0.0.0/0", "::/0"]
-    }
-  ])
+  base_firewall_rules = concat(
+    var.firewall_ssh_source == null ? [] : [
+      # Allow all traffic to the ssh port
+      {
+        description = "Allow Incoming SSH Traffic"
+        direction   = "in"
+        protocol    = "tcp"
+        port        = var.ssh_port
+        source_ips  = var.firewall_ssh_source
+      },
+    ],
+    var.firewall_kube_api_source == null ? [] : [
+      {
+        description = "Allow Incoming Requests to Kube API Server"
+        direction   = "in"
+        protocol    = "tcp"
+        port        = "6443"
+        source_ips  = var.firewall_kube_api_source
+      }
+    ],
+    !var.restrict_outbound_traffic ? [] : [
+      # Allow basic out traffic
+      # ICMP to ping outside services
+      {
+        description     = "Allow Outbound ICMP Ping Requests"
+        direction       = "out"
+        protocol        = "icmp"
+        port            = ""
+        destination_ips = ["0.0.0.0/0", "::/0"]
+      },
+
+      # DNS
+      {
+        description     = "Allow Outbound TCP DNS Requests"
+        direction       = "out"
+        protocol        = "tcp"
+        port            = "53"
+        destination_ips = ["0.0.0.0/0", "::/0"]
+      },
+      {
+        description     = "Allow Outbound UDP DNS Requests"
+        direction       = "out"
+        protocol        = "udp"
+        port            = "53"
+        destination_ips = ["0.0.0.0/0", "::/0"]
+      },
+
+      # HTTP(s)
+      {
+        description     = "Allow Outbound HTTP Requests"
+        direction       = "out"
+        protocol        = "tcp"
+        port            = "80"
+        destination_ips = ["0.0.0.0/0", "::/0"]
+      },
+      {
+        description     = "Allow Outbound HTTPS Requests"
+        direction       = "out"
+        protocol        = "tcp"
+        port            = "443"
+        destination_ips = ["0.0.0.0/0", "::/0"]
+      },
+
+      #NTP
+      {
+        description     = "Allow Outbound UDP NTP Requests"
+        direction       = "out"
+        protocol        = "udp"
+        port            = "123"
+        destination_ips = ["0.0.0.0/0", "::/0"]
+      }
+    ],
+    !local.using_klipper_lb ? [] : [
+      # Allow incoming web traffic for single node clusters, because we are using k3s servicelb there,
+      # not an external load-balancer.
+      {
+        description = "Allow Incoming HTTP Connections"
+        direction   = "in"
+        protocol    = "tcp"
+        port        = "80"
+        source_ips  = ["0.0.0.0/0", "::/0"]
+      },
+      {
+        description = "Allow Incoming HTTPS Connections"
+        direction   = "in"
+        protocol    = "tcp"
+        port        = "443"
+        source_ips  = ["0.0.0.0/0", "::/0"]
+      }
+    ],
+    var.block_icmp_ping_in ? [] : [
+      {
+        description = "Allow Incoming ICMP Ping Requests"
+        direction   = "in"
+        protocol    = "icmp"
+        port        = ""
+        source_ips  = ["0.0.0.0/0", "::/0"]
+      }
+    ]
+  )
 
   # create a new firewall list based on base_firewall_rules but with direction-protocol-port as key
   # this is needed to avoid duplicate rules

diff --git a/variables.tf b/variables.tf
@@ -379,6 +379,18 @@ variable "extra_firewall_rules" {
   description = "Additional firewall rules to apply to the cluster."
 }
 
+variable "firewall_kube_api_source" {
+  type        = list(string)
+  default     = ["0.0.0.0/0", "::/0"]
+  description = "Source networks that have Kube API access to the servers."
+}
+
+variable "firewall_ssh_source" {
+  type        = list(string)
+  default     = ["0.0.0.0/0", "::/0"]
+  description = "Source networks that have SSH access to the servers."
+}
+
 variable "use_cluster_name_in_node_name" {
   type        = bool
   default     = true