feat: Add firewall support safer-cluster modules (#570)

Author: Dev25

.kitchen.yml

@@ -51,6 +51,12 @@ suites:
       systems:
         - name: safer_cluster
           backend: local
+          controls:
+            - gcloud
+        - name: inspec-gcp
+          backend: gcp
+          controls:
+            - network
   - name: "simple_regional"
     driver:
       root_module_directory: test/fixtures/simple_regional

autogen/main/cluster.tf.tmpl

@@ -509,7 +509,7 @@ resource "google_container_node_pool" "pools" {
     {% endif %}
 
     shielded_instance_config {
-      enable_secure_boot =  lookup(each.value, "enable_secure_boot", false)
+      enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
       enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
     }
   }

autogen/main/firewall.tf.tmpl

@@ -48,9 +48,11 @@ resource "google_compute_firewall" "intra_egress" {
   allow { protocol = "esp" }
   allow { protocol = "ah" }
 
+  {% if not private_cluster %}
   depends_on = [
     google_container_cluster.primary,
   ]
+  {% endif %}
 }
 
 
@@ -77,8 +79,10 @@ resource "google_compute_firewall" "master_webhooks" {
     ports    = var.firewall_inbound_ports
   }
 
+  {% if not private_cluster %}
   depends_on = [
     google_container_cluster.primary,
   ]
+  {% endif %}
 
 }

autogen/safer-cluster/main.tf.tmpl

@@ -49,6 +49,10 @@ module "gke" {
   ip_range_pods     = var.ip_range_pods
   ip_range_services = var.ip_range_services
 
+  add_cluster_firewall_rules = var.add_cluster_firewall_rules
+  firewall_priority          = var.firewall_priority
+  firewall_inbound_ports     = var.firewall_inbound_ports
+
   horizontal_pod_autoscaling = var.horizontal_pod_autoscaling
   http_load_balancing        = var.http_load_balancing
 

autogen/safer-cluster/variables.tf.tmpl

@@ -342,3 +342,21 @@ variable "gce_pd_csi_driver" {
   description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
   default     = true
 }
+
+variable "add_cluster_firewall_rules" {
+  type        = bool
+  description = "Create additional firewall rules"
+  default     = false
+}
+
+variable "firewall_priority" {
+  type        = number
+  description = "Priority rule for firewall rules"
+  default     = 1000
+}
+
+variable "firewall_inbound_ports" {
+  type        = list(string)
+  description = "List of TCP ports for admission/webhook controllers"
+  default     = ["8443", "9443", "15017"]
+}

examples/safer_cluster/main.tf

@@ -49,6 +49,8 @@ module "gke" {
   ip_range_services              = local.svc_range_name
   compute_engine_service_account = var.compute_engine_service_account
   master_ipv4_cidr_block         = "172.16.0.0/28"
+  add_cluster_firewall_rules     = true
+  firewall_inbound_ports         = ["9443", "15017"]
 
   master_authorized_networks = [
     {

modules/beta-private-cluster-update-variant/firewall.tf

@@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" {
   allow { protocol = "esp" }
   allow { protocol = "ah" }
 
-  depends_on = [
-    google_container_cluster.primary,
-  ]
 }
 
 
@@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" {
     ports    = var.firewall_inbound_ports
   }
 
-  depends_on = [
-    google_container_cluster.primary,
-  ]
 
 }

modules/beta-private-cluster/firewall.tf

@@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" {
   allow { protocol = "esp" }
   allow { protocol = "ah" }
 
-  depends_on = [
-    google_container_cluster.primary,
-  ]
 }
 
 
@@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" {
     ports    = var.firewall_inbound_ports
   }
 
-  depends_on = [
-    google_container_cluster.primary,
-  ]
 
 }

modules/private-cluster-update-variant/firewall.tf

@@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" {
   allow { protocol = "esp" }
   allow { protocol = "ah" }
 
-  depends_on = [
-    google_container_cluster.primary,
-  ]
 }
 
 
@@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" {
     ports    = var.firewall_inbound_ports
   }
 
-  depends_on = [
-    google_container_cluster.primary,
-  ]
 
 }

modules/private-cluster/firewall.tf

@@ -48,9 +48,6 @@ resource "google_compute_firewall" "intra_egress" {
   allow { protocol = "esp" }
   allow { protocol = "ah" }
 
-  depends_on = [
-    google_container_cluster.primary,
-  ]
 }
 
 
@@ -77,8 +74,5 @@ resource "google_compute_firewall" "master_webhooks" {
     ports    = var.firewall_inbound_ports
   }
 
-  depends_on = [
-    google_container_cluster.primary,
-  ]
 
 }

modules/safer-cluster-update-variant/README.md

@@ -200,6 +200,7 @@ For simplicity, we suggest using `roles/container.admin` and
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| add\_cluster\_firewall\_rules | Create additional firewall rules | bool | `"false"` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | string | `"null"` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
 | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `<map>` | no |
@@ -214,6 +215,8 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
+| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `<list>` | no |
+| firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"true"` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |

modules/safer-cluster-update-variant/main.tf

@@ -45,6 +45,10 @@ module "gke" {
   ip_range_pods     = var.ip_range_pods
   ip_range_services = var.ip_range_services
 
+  add_cluster_firewall_rules = var.add_cluster_firewall_rules
+  firewall_priority          = var.firewall_priority
+  firewall_inbound_ports     = var.firewall_inbound_ports
+
   horizontal_pod_autoscaling = var.horizontal_pod_autoscaling
   http_load_balancing        = var.http_load_balancing
 

modules/safer-cluster-update-variant/variables.tf

@@ -342,3 +342,21 @@ variable "gce_pd_csi_driver" {
   description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
   default     = true
 }
+
+variable "add_cluster_firewall_rules" {
+  type        = bool
+  description = "Create additional firewall rules"
+  default     = false
+}
+
+variable "firewall_priority" {
+  type        = number
+  description = "Priority rule for firewall rules"
+  default     = 1000
+}
+
+variable "firewall_inbound_ports" {
+  type        = list(string)
+  description = "List of TCP ports for admission/webhook controllers"
+  default     = ["8443", "9443", "15017"]
+}

modules/safer-cluster/README.md

@@ -200,6 +200,7 @@ For simplicity, we suggest using `roles/container.admin` and
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| add\_cluster\_firewall\_rules | Create additional firewall rules | bool | `"false"` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | string | `"null"` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
 | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `<map>` | no |
@@ -214,6 +215,8 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
+| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `<list>` | no |
+| firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"true"` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |

modules/safer-cluster/main.tf

@@ -45,6 +45,10 @@ module "gke" {
   ip_range_pods     = var.ip_range_pods
   ip_range_services = var.ip_range_services
 
+  add_cluster_firewall_rules = var.add_cluster_firewall_rules
+  firewall_priority          = var.firewall_priority
+  firewall_inbound_ports     = var.firewall_inbound_ports
+
   horizontal_pod_autoscaling = var.horizontal_pod_autoscaling
   http_load_balancing        = var.http_load_balancing
 

modules/safer-cluster/variables.tf

@@ -342,3 +342,21 @@ variable "gce_pd_csi_driver" {
   description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
   default     = true
 }
+
+variable "add_cluster_firewall_rules" {
+  type        = bool
+  description = "Create additional firewall rules"
+  default     = false
+}
+
+variable "firewall_priority" {
+  type        = number
+  description = "Priority rule for firewall rules"
+  default     = 1000
+}
+
+variable "firewall_inbound_ports" {
+  type        = list(string)
+  description = "List of TCP ports for admission/webhook controllers"
+  default     = ["8443", "9443", "15017"]
+}

test/integration/safer_cluster/controls/network.rb

@@ -0,0 +1,25 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+project_id   = attribute('project_id')
+cluster_name = attribute('cluster_name')
+
+control "network" do
+  title "gcp network configuration"
+  describe google_compute_firewalls(project: project_id) do
+    its('firewall_names') { should include "gke-#{cluster_name[0,25]}-intra-cluster-egress" }
+    its('firewall_names') { should include "gke-#{cluster_name[0,25]}-webhooks" }
+  end
+
+end

test/integration/safer_cluster/inspec.yml

@@ -1,4 +1,8 @@
 name: safer_cluster
+depends:
+  - name: inspec-gcp
+    git: https://github.com/inspec/inspec-gcp.git
+    tag: v0.11.0
 attributes:
   - name: project_id
     required: true