From a12c9c3973813eaf3163d413303e46dbc8d5056e Mon Sep 17 00:00:00 2001 From: "Ketelsen, Sven" Date: Tue, 13 Dec 2022 11:49:09 +0000 Subject: [PATCH] DEV-735 updated default firewall rules --- external_monitoring.yml | 2 +- group_vars/all/firewall.yml | 30 ++++++++++--------- group_vars/all/plain.yml | 3 -- group_vars/stage_devscr/argocd.yml | 2 +- group_vars/stage_devscr/firewall.yml | 24 ++++++++------- group_vars/stage_devscr/prometheus.yml | 6 ++-- group_vars/stage_prodwork01/firewall.yml | 24 ++++++++------- roles/kubernetes/argocd/defaults/main.yml | 2 +- roles/kubernetes/gitea/defaults/main.yml | 2 +- .../ingress_controller/defaults/main.yml | 2 +- roles/kubernetes/prometheus/defaults/main.yml | 6 ++-- .../connect-compact/docker-compose.yml.j2 | 2 +- 12 files changed, 54 insertions(+), 51 deletions(-) diff --git a/external_monitoring.yml b/external_monitoring.yml index 9d9555e..3ba0c2d 100644 --- a/external_monitoring.yml +++ b/external_monitoring.yml @@ -37,7 +37,7 @@ port: 9115 proto: tcp src: "{{ item }}" - loop: "{{ prometheus_endpoints_all_stages + ip_whitelist + ip_whitelist_admins + k8s_nodes_mobene }}" + loop: "{{ prometheus_endpoints_all_stages + ip_whitelist + k8s_nodes_mobene }}" - name: "Set firewall default policy" ufw: diff --git a/group_vars/all/firewall.yml b/group_vars/all/firewall.yml index e280f06..6179cfb 100644 --- a/group_vars/all/firewall.yml +++ b/group_vars/all/firewall.yml @@ -32,20 +32,6 @@ hcloud_firewall_objects: source_ips: '{{ ip_whitelist }}' destination_ips: [] description: HTTPS allowed - - - direction: in - protocol: tcp - port: 'any' - source_ips: '{{ ip_whitelist_admins }}' - destination_ips: [] - description: TCP - allow work from home without VPN - - - direction: in - protocol: udp - port: 'any' - source_ips: '{{ ip_whitelist_admins }}' - destination_ips: [] - description: UDP - allow work from home without VPN apply_to: - type: label_selector @@ -102,6 +88,22 @@ hcloud_firewall_objects: type: label_selector label_selector: selector: 'stage={{ stage }},service=keycloak' + - + name: "{{ stage }}-access-to-kubernetes-api" + state: present + rules: + - + direction: in + protocol: tcp + port: '6443' + source_ips: "{{ ip_whitelist }}" + destination_ips: [] + description: "Allow access for whitelisted ips" + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }},service=kube_control_plane' hcloud_firewall_objects_awx: - diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml index eb37055..6e4a5fb 100644 --- a/group_vars/all/plain.yml +++ b/group_vars/all/plain.yml @@ -128,9 +128,6 @@ default_plattform_users: smardigo_plattform_users: "{{ default_plattform_users + custom_plattform_users | default([]) }}" -ip_whitelist_admins: - - "79.215.12.94/32" # sven - ip_whitelist_netgo: - "212.121.131.106/32" # netgo berlin - "149.233.6.129/32" # netgo e-shelter diff --git a/group_vars/stage_devscr/argocd.yml b/group_vars/stage_devscr/argocd.yml index d4645a6..0f785b3 100644 --- a/group_vars/stage_devscr/argocd.yml +++ b/group_vars/stage_devscr/argocd.yml @@ -152,7 +152,7 @@ k8s_argocd_helm__release_values: cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" nginx.ingress.kubernetes.io/force-ssl-redirect: "false" nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" diff --git a/group_vars/stage_devscr/firewall.yml b/group_vars/stage_devscr/firewall.yml index 2714c69..ffe6624 100644 --- a/group_vars/stage_devscr/firewall.yml +++ b/group_vars/stage_devscr/firewall.yml @@ -33,22 +33,24 @@ hcloud_firewall_objects: source_ips: '{{ ip_whitelist }}' destination_ips: [] description: HTTPS allowed + apply_to: - - direction: in - protocol: tcp - port: 'any' - source_ips: '{{ ip_whitelist_admins }}' - destination_ips: [] - description: TCP - allow work from home without VPN + type: label_selector + label_selector: + selector: 'stage={{ stage }}' + - + name: "{{ stage }}-access-to-kubernetes-api" + state: present + rules: - direction: in - protocol: udp - port: 'any' - source_ips: '{{ ip_whitelist_admins }}' + protocol: tcp + port: '6443' + source_ips: "{{ ip_whitelist }}" destination_ips: [] - description: UDP - allow work from home without VPN + description: "Allow access for whitelisted ips" apply_to: - type: label_selector label_selector: - selector: 'stage={{ stage }}' + selector: 'stage={{ stage }},service=kube_control_plane' diff --git a/group_vars/stage_devscr/prometheus.yml b/group_vars/stage_devscr/prometheus.yml index 9b49ef1..3edc6ec 100644 --- a/group_vars/stage_devscr/prometheus.yml +++ b/group_vars/stage_devscr/prometheus.yml @@ -17,7 +17,7 @@ k8s_prometheus_helm__release_values: cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" - nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" hosts: - "{{ stage }}-prometheus.{{ domain }}" tls: @@ -45,7 +45,7 @@ k8s_prometheus_helm__release_values: cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" - nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" hosts: - "{{ stage }}-alertmanager.{{ domain }}" tls: @@ -64,7 +64,7 @@ k8s_prometheus_helm__release_values: cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" - nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" hosts: - "{{ stage }}-grafana.{{ domain }}" tls: diff --git a/group_vars/stage_prodwork01/firewall.yml b/group_vars/stage_prodwork01/firewall.yml index 2714c69..ffe6624 100644 --- a/group_vars/stage_prodwork01/firewall.yml +++ b/group_vars/stage_prodwork01/firewall.yml @@ -33,22 +33,24 @@ hcloud_firewall_objects: source_ips: '{{ ip_whitelist }}' destination_ips: [] description: HTTPS allowed + apply_to: - - direction: in - protocol: tcp - port: 'any' - source_ips: '{{ ip_whitelist_admins }}' - destination_ips: [] - description: TCP - allow work from home without VPN + type: label_selector + label_selector: + selector: 'stage={{ stage }}' + - + name: "{{ stage }}-access-to-kubernetes-api" + state: present + rules: - direction: in - protocol: udp - port: 'any' - source_ips: '{{ ip_whitelist_admins }}' + protocol: tcp + port: '6443' + source_ips: "{{ ip_whitelist }}" destination_ips: [] - description: UDP - allow work from home without VPN + description: "Allow access for whitelisted ips" apply_to: - type: label_selector label_selector: - selector: 'stage={{ stage }}' + selector: 'stage={{ stage }},service=kube_control_plane' diff --git a/roles/kubernetes/argocd/defaults/main.yml b/roles/kubernetes/argocd/defaults/main.yml index 855075a..e1933cf 100644 --- a/roles/kubernetes/argocd/defaults/main.yml +++ b/roles/kubernetes/argocd/defaults/main.yml @@ -226,7 +226,7 @@ k8s_argocd_helm__release_values: cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" nginx.ingress.kubernetes.io/force-ssl-redirect: "false" nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" diff --git a/roles/kubernetes/gitea/defaults/main.yml b/roles/kubernetes/gitea/defaults/main.yml index 1514e56..1f54512 100644 --- a/roles/kubernetes/gitea/defaults/main.yml +++ b/roles/kubernetes/gitea/defaults/main.yml @@ -29,7 +29,7 @@ k8s_gitea_helm__release_values: cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" - nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" hosts: - host: "{{ stage }}-gitea.{{ domain }}" paths: diff --git a/roles/kubernetes/ingress_controller/defaults/main.yml b/roles/kubernetes/ingress_controller/defaults/main.yml index 4c1eb96..e1d5436 100644 --- a/roles/kubernetes/ingress_controller/defaults/main.yml +++ b/roles/kubernetes/ingress_controller/defaults/main.yml @@ -25,7 +25,7 @@ k8s_ingress_helm__release_values: use-forwarded-headers: "true" use-proxy-protocol: "true" large-client-header-buffers: "4 16k" - whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}" + whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" service: externalTrafficPolicy: Local healthCheckNodePort: &healthchecknodeport 31066 diff --git a/roles/kubernetes/prometheus/defaults/main.yml b/roles/kubernetes/prometheus/defaults/main.yml index b52bff9..c4786b5 100644 --- a/roles/kubernetes/prometheus/defaults/main.yml +++ b/roles/kubernetes/prometheus/defaults/main.yml @@ -17,7 +17,7 @@ k8s_prometheus_helm__release_values: cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" - nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" nginx.ingress.kubernetes.io/auth-type: "basic" nginx.ingress.kubernetes.io/auth-secret: "{{ k8s_prometheus_basic_auth_secret_name }}" nginx.ingress.kubernetes.io/auth-realm: "Authentication Required" @@ -44,7 +44,7 @@ k8s_prometheus_helm__release_values: cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" - nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" nginx.ingress.kubernetes.io/auth-type: "basic" nginx.ingress.kubernetes.io/auth-secret: "{{ k8s_alertmanager_basic_auth_secret_name }}" nginx.ingress.kubernetes.io/auth-realm: "Authentication Required" @@ -66,7 +66,7 @@ k8s_prometheus_helm__release_values: cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" - nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" hosts: - "{{ stage }}-kube-grafana.{{ domain }}" tls: diff --git a/templates/connect-compact/docker-compose.yml.j2 b/templates/connect-compact/docker-compose.yml.j2 index 1a99708..7575b31 100644 --- a/templates/connect-compact/docker-compose.yml.j2 +++ b/templates/connect-compact/docker-compose.yml.j2 @@ -157,7 +157,7 @@ services: - "traefik.http.routers.{{ connect_id }}-kibana.tls.certresolver={{ connect_compact_tls_cert_resolver }}" - "traefik.http.services.{{ connect_id }}-kibana.loadbalancer.server.port=5601" - "traefik.http.routers.{{ connect_id }}-kibana.middlewares={{ connect_id }}-kibana-ipwhitelist" - - "traefik.http.middlewares.{{ connect_id }}-kibana-ipwhitelist.ipwhitelist.sourcerange={{ ( ip_whitelist_netgo + ip_whitelist_admins ) | join(',') }}" + - "traefik.http.middlewares.{{ connect_id }}-kibana-ipwhitelist.ipwhitelist.sourcerange={{ ( ip_whitelist_netgo ) | join(',') }}" mem_limit: 1G volumes: - "./config/kibana/kibana.yml:/usr/share/kibana/config/kibana.yml:ro"