autogen

Author: splichy

firewall.tf

@@ -34,11 +34,12 @@ resource "google_compute_firewall" "intra_egress" {
   direction   = "EGRESS"
 
   target_tags = [local.cluster_network_tag]
-  destination_ranges = [
+  destination_ranges = concat([
     local.cluster_endpoint_for_nodes,
     local.cluster_subnet_cidr,
-    local.cluster_alias_ranges_cidr[var.ip_range_pods],
-  ]
+    ],
+    local.pod_all_ip_ranges
+  )
 
   # Allow all possible protocols
   allow { protocol = "tcp" }
@@ -99,7 +100,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   priority    = var.shadow_firewall_rules_priority
   direction   = "INGRESS"
 
-  source_ranges = [local.cluster_alias_ranges_cidr[var.ip_range_pods]]
+  source_ranges = local.pod_all_ip_ranges
   target_tags   = [local.cluster_network_tag]
 
   # Allow all possible protocols
@@ -169,3 +170,50 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
     metadata = "INCLUDE_ALL_METADATA"
   }
 }
+
+resource "google_compute_firewall" "shadow_allow_inkubelet" {
+  count = var.add_shadow_firewall_rules ? 1 : 0
+
+  name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet"
+  description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
+  project     = local.network_project_id
+  network     = var.network
+  priority    = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+  direction   = "INGRESS"
+
+  source_ranges = local.pod_all_ip_ranges
+  source_tags   = [local.cluster_network_tag]
+  target_tags   = [local.cluster_network_tag]
+
+  allow {
+    protocol = "tcp"
+    ports    = ["10255"]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}
+
+resource "google_compute_firewall" "shadow_deny_exkubelet" {
+  count = var.add_shadow_firewall_rules ? 1 : 0
+
+  name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet"
+  description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
+  project     = local.network_project_id
+  network     = var.network
+  priority    = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+  direction   = "INGRESS"
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = [local.cluster_network_tag]
+
+  deny {
+    protocol = "tcp"
+    ports    = ["10255"]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}

main.tf

@@ -73,6 +73,7 @@ locals {
 
   cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
   cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
+  pod_all_ip_ranges         = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : []
 
   cluster_network_policy = var.network_policy ? [{
     enabled  = true

modules/beta-autopilot-private-cluster/firewall.tf

@@ -34,11 +34,12 @@ resource "google_compute_firewall" "intra_egress" {
   direction   = "EGRESS"
 
   target_tags = [local.cluster_network_tag]
-  destination_ranges = [
+  destination_ranges = concat([
     local.cluster_endpoint_for_nodes,
     local.cluster_subnet_cidr,
-    local.cluster_alias_ranges_cidr[var.ip_range_pods],
-  ]
+    ],
+    local.pod_all_ip_ranges
+  )
 
   # Allow all possible protocols
   allow { protocol = "tcp" }
@@ -126,7 +127,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   priority    = var.shadow_firewall_rules_priority
   direction   = "INGRESS"
 
-  source_ranges = [local.cluster_alias_ranges_cidr[var.ip_range_pods]]
+  source_ranges = local.pod_all_ip_ranges
   target_tags   = [local.cluster_network_tag]
 
   # Allow all possible protocols
@@ -196,3 +197,50 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
     metadata = "INCLUDE_ALL_METADATA"
   }
 }
+
+resource "google_compute_firewall" "shadow_allow_inkubelet" {
+  count = var.add_shadow_firewall_rules ? 1 : 0
+
+  name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet"
+  description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
+  project     = local.network_project_id
+  network     = var.network
+  priority    = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+  direction   = "INGRESS"
+
+  source_ranges = local.pod_all_ip_ranges
+  source_tags   = [local.cluster_network_tag]
+  target_tags   = [local.cluster_network_tag]
+
+  allow {
+    protocol = "tcp"
+    ports    = ["10255"]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}
+
+resource "google_compute_firewall" "shadow_deny_exkubelet" {
+  count = var.add_shadow_firewall_rules ? 1 : 0
+
+  name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet"
+  description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
+  project     = local.network_project_id
+  network     = var.network
+  priority    = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+  direction   = "INGRESS"
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = [local.cluster_network_tag]
+
+  deny {
+    protocol = "tcp"
+    ports    = ["10255"]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}

modules/beta-autopilot-private-cluster/main.tf

@@ -60,6 +60,7 @@ locals {
 
   cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
   cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
+  pod_all_ip_ranges         = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : []
 
 
   cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{

modules/beta-autopilot-public-cluster/firewall.tf

@@ -34,11 +34,12 @@ resource "google_compute_firewall" "intra_egress" {
   direction   = "EGRESS"
 
   target_tags = [local.cluster_network_tag]
-  destination_ranges = [
+  destination_ranges = concat([
     local.cluster_endpoint_for_nodes,
     local.cluster_subnet_cidr,
-    local.cluster_alias_ranges_cidr[var.ip_range_pods],
-  ]
+    ],
+    local.pod_all_ip_ranges
+  )
 
   # Allow all possible protocols
   allow { protocol = "tcp" }
@@ -135,7 +136,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   priority    = var.shadow_firewall_rules_priority
   direction   = "INGRESS"
 
-  source_ranges = [local.cluster_alias_ranges_cidr[var.ip_range_pods]]
+  source_ranges = local.pod_all_ip_ranges
   target_tags   = [local.cluster_network_tag]
 
   # Allow all possible protocols
@@ -205,3 +206,50 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
     metadata = "INCLUDE_ALL_METADATA"
   }
 }
+
+resource "google_compute_firewall" "shadow_allow_inkubelet" {
+  count = var.add_shadow_firewall_rules ? 1 : 0
+
+  name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet"
+  description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
+  project     = local.network_project_id
+  network     = var.network
+  priority    = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+  direction   = "INGRESS"
+
+  source_ranges = local.pod_all_ip_ranges
+  source_tags   = [local.cluster_network_tag]
+  target_tags   = [local.cluster_network_tag]
+
+  allow {
+    protocol = "tcp"
+    ports    = ["10255"]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}
+
+resource "google_compute_firewall" "shadow_deny_exkubelet" {
+  count = var.add_shadow_firewall_rules ? 1 : 0
+
+  name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet"
+  description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
+  project     = local.network_project_id
+  network     = var.network
+  priority    = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+  direction   = "INGRESS"
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = [local.cluster_network_tag]
+
+  deny {
+    protocol = "tcp"
+    ports    = ["10255"]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}

modules/beta-autopilot-public-cluster/main.tf

@@ -60,6 +60,7 @@ locals {
 
   cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
   cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
+  pod_all_ip_ranges         = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : []
 
 
   cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{

modules/beta-private-cluster-update-variant/firewall.tf

@@ -34,11 +34,12 @@ resource "google_compute_firewall" "intra_egress" {
   direction   = "EGRESS"
 
   target_tags = [local.cluster_network_tag]
-  destination_ranges = [
+  destination_ranges = concat([
     local.cluster_endpoint_for_nodes,
     local.cluster_subnet_cidr,
-    local.cluster_alias_ranges_cidr[var.ip_range_pods],
-  ]
+    ],
+    local.pod_all_ip_ranges
+  )
 
   # Allow all possible protocols
   allow { protocol = "tcp" }
@@ -126,7 +127,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   priority    = var.shadow_firewall_rules_priority
   direction   = "INGRESS"
 
-  source_ranges = [local.cluster_alias_ranges_cidr[var.ip_range_pods]]
+  source_ranges = local.pod_all_ip_ranges
   target_tags   = [local.cluster_network_tag]
 
   # Allow all possible protocols
@@ -196,3 +197,50 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
     metadata = "INCLUDE_ALL_METADATA"
   }
 }
+
+resource "google_compute_firewall" "shadow_allow_inkubelet" {
+  count = var.add_shadow_firewall_rules ? 1 : 0
+
+  name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet"
+  description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
+  project     = local.network_project_id
+  network     = var.network
+  priority    = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+  direction   = "INGRESS"
+
+  source_ranges = local.pod_all_ip_ranges
+  source_tags   = [local.cluster_network_tag]
+  target_tags   = [local.cluster_network_tag]
+
+  allow {
+    protocol = "tcp"
+    ports    = ["10255"]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}
+
+resource "google_compute_firewall" "shadow_deny_exkubelet" {
+  count = var.add_shadow_firewall_rules ? 1 : 0
+
+  name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet"
+  description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
+  project     = local.network_project_id
+  network     = var.network
+  priority    = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+  direction   = "INGRESS"
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = [local.cluster_network_tag]
+
+  deny {
+    protocol = "tcp"
+    ports    = ["10255"]
+  }
+
+  log_config {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
+}

modules/beta-private-cluster-update-variant/main.tf

@@ -74,6 +74,7 @@ locals {
 
   cluster_subnet_cidr       = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
   cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
+  pod_all_ip_ranges         = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : []
 
   cluster_network_policy = var.network_policy ? [{
     enabled  = true