DEV-735 updated default firewall rules

3 years ago · a12c9c3973
parent 80bfb06f61
commit a12c9c3973
12 changed files with 54 additions and 51 deletions
--- a/external_monitoring.yml
+++ b/external_monitoring.yml
@ -37,7 +37,7 @@
      port: 9115
      proto: tcp
      src: "{{ item }}"
-    loop: "{{ prometheus_endpoints_all_stages + ip_whitelist + ip_whitelist_admins + k8s_nodes_mobene }}"
+    loop: "{{ prometheus_endpoints_all_stages + ip_whitelist + k8s_nodes_mobene }}"

  - name: "Set firewall default policy"
    ufw:
--- a/group_vars/all/firewall.yml
+++ b/group_vars/all/firewall.yml
@ -32,20 +32,6 @@ hcloud_firewall_objects:
        source_ips: '{{ ip_whitelist }}'
        destination_ips: []
        description: HTTPS allowed
-     -
-        direction: in
-        protocol: tcp
-        port: 'any'
-        source_ips: '{{ ip_whitelist_admins }}'
-        destination_ips: []
-        description: TCP - allow work from home without VPN
-     -
-        direction: in
-        protocol: udp
-        port: 'any'
-        source_ips: '{{ ip_whitelist_admins }}'
-        destination_ips: []
-        description: UDP - allow work from home without VPN
     apply_to:
     -
       type: label_selector
@ -102,6 +88,22 @@ hcloud_firewall_objects:
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service=keycloak'
+   -
+     name: "{{ stage }}-access-to-kubernetes-api"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '6443'
+        source_ips: "{{ ip_whitelist }}"
+        destination_ips: []
+        description: "Allow access for whitelisted ips"
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }},service=kube_control_plane'

 hcloud_firewall_objects_awx:
   -
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@ -128,9 +128,6 @@ default_plattform_users:

 smardigo_plattform_users: "{{ default_plattform_users + custom_plattform_users | default([]) }}"

-ip_whitelist_admins:
-  - "79.215.12.94/32" # sven
-
 ip_whitelist_netgo:
  - "212.121.131.106/32" # netgo berlin
  - "149.233.6.129/32" # netgo e-shelter
--- a/group_vars/stage_devscr/argocd.yml
+++ b/group_vars/stage_devscr/argocd.yml
@ -152,7 +152,7 @@ k8s_argocd_helm__release_values:
        cert-manager.io/cluster-issuer: letsencrypt-prod
        cert-manager.io/issue-temporary-certificate: "true"
        kubernetes.io/ingress.class: nginx
-        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}"
        nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
--- a/group_vars/stage_devscr/firewall.yml
+++ b/group_vars/stage_devscr/firewall.yml
@ -33,22 +33,24 @@ hcloud_firewall_objects:
        source_ips: '{{ ip_whitelist }}'
        destination_ips: []
        description: HTTPS allowed
+     apply_to:
     -
-        direction: in
-        protocol: tcp
-        port: 'any'
-        source_ips: '{{ ip_whitelist_admins }}'
-        destination_ips: []
-        description: TCP - allow work from home without VPN
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'
+   -
+     name: "{{ stage }}-access-to-kubernetes-api"
+     state: present
+     rules:
     -
        direction: in
-        protocol: udp
-        port: 'any'
-        source_ips: '{{ ip_whitelist_admins }}'
+        protocol: tcp
+        port: '6443'
+        source_ips: "{{ ip_whitelist }}"
        destination_ips: []
-        description: UDP - allow work from home without VPN
+        description: "Allow access for whitelisted ips"
     apply_to:
     -
       type: label_selector
       label_selector:
-         selector: 'stage={{ stage }}'
+         selector: 'stage={{ stage }},service=kube_control_plane'
--- a/group_vars/stage_devscr/prometheus.yml
+++ b/group_vars/stage_devscr/prometheus.yml
@ -17,7 +17,7 @@ k8s_prometheus_helm__release_values:
        cert-manager.io/issue-temporary-certificate: "true"
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/ssl-redirect: "false"
-        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}"
      hosts:
        - "{{ stage }}-prometheus.{{ domain }}"
      tls:
@ -45,7 +45,7 @@ k8s_prometheus_helm__release_values:
        cert-manager.io/issue-temporary-certificate: "true"
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/ssl-redirect: "false"
-        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}"
      hosts:
        - "{{ stage }}-alertmanager.{{ domain }}"
      tls:
@ -64,7 +64,7 @@ k8s_prometheus_helm__release_values:
        cert-manager.io/issue-temporary-certificate: "true"
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/ssl-redirect: "false"
-        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}"
      hosts:
        - "{{ stage }}-grafana.{{ domain }}"
      tls:
--- a/group_vars/stage_prodwork01/firewall.yml
+++ b/group_vars/stage_prodwork01/firewall.yml
@ -33,22 +33,24 @@ hcloud_firewall_objects:
        source_ips: '{{ ip_whitelist }}'
        destination_ips: []
        description: HTTPS allowed
+     apply_to:
     -
-        direction: in
-        protocol: tcp
-        port: 'any'
-        source_ips: '{{ ip_whitelist_admins }}'
-        destination_ips: []
-        description: TCP - allow work from home without VPN
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'
+   -
+     name: "{{ stage }}-access-to-kubernetes-api"
+     state: present
+     rules:
     -
        direction: in
-        protocol: udp
-        port: 'any'
-        source_ips: '{{ ip_whitelist_admins }}'
+        protocol: tcp
+        port: '6443'
+        source_ips: "{{ ip_whitelist }}"
        destination_ips: []
-        description: UDP - allow work from home without VPN
+        description: "Allow access for whitelisted ips"
     apply_to:
     -
       type: label_selector
       label_selector:
-         selector: 'stage={{ stage }}'
+         selector: 'stage={{ stage }},service=kube_control_plane'
--- a/roles/kubernetes/argocd/defaults/main.yml
+++ b/roles/kubernetes/argocd/defaults/main.yml
@ -226,7 +226,7 @@ k8s_argocd_helm__release_values:
        cert-manager.io/cluster-issuer: letsencrypt-prod
        cert-manager.io/issue-temporary-certificate: "true"
        kubernetes.io/ingress.class: nginx
-        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}"
        nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
--- a/roles/kubernetes/gitea/defaults/main.yml
+++ b/roles/kubernetes/gitea/defaults/main.yml
@ -29,7 +29,7 @@ k8s_gitea_helm__release_values:
      cert-manager.io/issue-temporary-certificate: "true"
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
-      nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+      nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}"
    hosts:
      - host: "{{ stage }}-gitea.{{ domain }}"
        paths:
--- a/roles/kubernetes/ingress_controller/defaults/main.yml
+++ b/roles/kubernetes/ingress_controller/defaults/main.yml
@ -25,7 +25,7 @@ k8s_ingress_helm__release_values:
      use-forwarded-headers: "true"
      use-proxy-protocol: "true"
      large-client-header-buffers: "4 16k"
-      whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+      whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}"
    service:
      externalTrafficPolicy: Local
      healthCheckNodePort: &healthchecknodeport 31066
--- a/roles/kubernetes/prometheus/defaults/main.yml
+++ b/roles/kubernetes/prometheus/defaults/main.yml
@ -17,7 +17,7 @@ k8s_prometheus_helm__release_values:
        cert-manager.io/issue-temporary-certificate: "true"
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/ssl-redirect: "false"
-        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}"
        nginx.ingress.kubernetes.io/auth-type: "basic"
        nginx.ingress.kubernetes.io/auth-secret: "{{ k8s_prometheus_basic_auth_secret_name }}"
        nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
@ -44,7 +44,7 @@ k8s_prometheus_helm__release_values:
        cert-manager.io/issue-temporary-certificate: "true"
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/ssl-redirect: "false"
-        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}"
        nginx.ingress.kubernetes.io/auth-type: "basic"
        nginx.ingress.kubernetes.io/auth-secret: "{{ k8s_alertmanager_basic_auth_secret_name }}"
        nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
@ -66,7 +66,7 @@ k8s_prometheus_helm__release_values:
        cert-manager.io/issue-temporary-certificate: "true"
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/ssl-redirect: "false"
-        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}"
      hosts:
        - "{{ stage }}-kube-grafana.{{ domain }}"
      tls:
--- a/templates/connect-compact/docker-compose.yml.j2
+++ b/templates/connect-compact/docker-compose.yml.j2
@ -157,7 +157,7 @@ services:
      - "traefik.http.routers.{{ connect_id }}-kibana.tls.certresolver={{ connect_compact_tls_cert_resolver }}"
      - "traefik.http.services.{{ connect_id }}-kibana.loadbalancer.server.port=5601"
      - "traefik.http.routers.{{ connect_id }}-kibana.middlewares={{ connect_id }}-kibana-ipwhitelist"
-      - "traefik.http.middlewares.{{ connect_id }}-kibana-ipwhitelist.ipwhitelist.sourcerange={{ ( ip_whitelist_netgo + ip_whitelist_admins ) | join(',') }}"
+      - "traefik.http.middlewares.{{ connect_id }}-kibana-ipwhitelist.ipwhitelist.sourcerange={{ ( ip_whitelist_netgo ) | join(',') }}"
    mem_limit: 1G
    volumes:
      - "./config/kibana/kibana.yml:/usr/share/kibana/config/kibana.yml:ro"