add all pod_ranges to cluster firewall rules and add missing shadow rules

splichy · splichy · commit a404d99e4fec · 2022-11-28T17:56:22.000+01:00
diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl
@@ -34,11 +34,12 @@ resource "google_compute_firewall" "intra_egress" {
   direction   = "EGRESS"
 
   target_tags = [local.cluster_network_tag]
-  destination_ranges = [
+  destination_ranges = concat([
     local.cluster_endpoint_for_nodes,
     local.cluster_subnet_cidr,
-    local.cluster_alias_ranges_cidr[var.ip_range_pods],
-  ]
+    ],
+    local.pod_all_ip_ranges
+  )
 
   # Allow all possible protocols
   allow { protocol = "tcp" }
@@ -143,7 +144,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   priority    = var.shadow_firewall_rules_priority
   direction   = "INGRESS"
 
-  source_ranges = [local.cluster_alias_ranges_cidr[var.ip_range_pods]]
+  source_ranges = local.pod_all_ip_ranges
   target_tags   = [local.cluster_network_tag]
 
   # Allow all possible protocols
@@ -213,3 +214,50 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
     metadata = "INCLUDE_ALL_METADATA"
   }
 }
+
+resource "google_compute_firewall" "shadow_allow_inkubelet" {
+  count = var.add_shadow_firewall_rules ? 1 : 0
+
+  name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet"
+  description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
+  project     = local.network_project_id
+  network     = var.network
+  priority    = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+  direction   = "INGRESS"
+
+  source_ranges = local.pod_all_ip_ranges
+  source_tags   = [local.cluster_network_tag]
+  target_tags   = [local.cluster_network_tag]
+
+  allow {
+    protocol = "tcp"
+    ports    = ["10255"]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}
+
+resource "google_compute_firewall" "shadow_deny_exkubelet" {
+  count = var.add_shadow_firewall_rules ? 1 : 0
+
+  name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet"
+  description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
+  project     = local.network_project_id
+  network     = var.network
+  priority    = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+  direction   = "INGRESS"
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = [local.cluster_network_tag]
+
+  deny {
+    protocol = "tcp"
+    ports    = ["10255"]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}
diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
@@ -86,6 +86,7 @@ locals {
 
   cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
   cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
+  pod_all_ip_ranges         = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools): local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0] )) : []
 
 {% if autopilot_cluster != true %}
   cluster_network_policy = var.network_policy ? [{
