github.com/SUSE/skuba@v1.4.17/ci/infra/aws/security-groups-common.tf

github.com/SUSE/skuba@v1.4.17/ci/infra/aws/security-groups-common.tf (about)

     1  resource "aws_security_group" "common" {
     2    description = "common security group rules for master and worker nodes"
     3    name        = "${var.stack_name}-common"
     4    vpc_id      = aws_vpc.platform.id
     5  
     6    tags = merge(
     7      local.basic_tags,
     8      {
     9        "Name"  = "${var.stack_name}-common"
    10        "Class" = "SecurityGroup"
    11      },
    12    )
    13  
    14    # Allow ICMP
    15    ingress {
    16      from_port       = -1
    17      to_port         = -1
    18      protocol        = "icmp"
    19      security_groups = []
    20      self            = true
    21      description     = "allow ICPM traffic ingress"
    22    }
    23  
    24    egress {
    25      from_port       = -1
    26      to_port         = -1
    27      protocol        = "icmp"
    28      security_groups = []
    29      cidr_blocks     = [var.vpc_cidr_block]
    30      description     = "allow ICPM traffic egress"
    31    }
    32  
    33    # Allow ssh from anywhere
    34    ingress {
    35      from_port   = 22
    36      to_port     = 22
    37      protocol    = "tcp"
    38      cidr_blocks = ["0.0.0.0/0"]
    39      description = "allow ssh from everywhere"
    40    }
    41  
    42    # cilium - health check - internal
    43    ingress {
    44      from_port   = 4240
    45      to_port     = 4240
    46      protocol    = "tcp"
    47      cidr_blocks = [var.vpc_cidr_block]
    48      description = "cilium - health check - internal"
    49    }
    50  
    51    # cilium - VXLAN traffic - internal
    52    ingress {
    53      from_port   = 8472
    54      to_port     = 8472
    55      protocol    = "udp"
    56      cidr_blocks = [var.vpc_cidr_block]
    57      description = "cilium - VXLAN traffic - internal"
    58    }
    59  
    60    # master -> worker kubelet communication - internal
    61    ingress {
    62      from_port   = 10250
    63      to_port     = 10250
    64      protocol    = "tcp"
    65      cidr_blocks = [var.vpc_cidr_block]
    66      description = "master to worker kubelet communication - internal"
    67    }
    68  
    69    # kubeproxy health check - internal only
    70    ingress {
    71      from_port   = 10256
    72      to_port     = 10256
    73      protocol    = "tcp"
    74      cidr_blocks = [var.vpc_cidr_block]
    75      description = "kubeproxy health check - internal only"
    76    }
    77  
    78    # range of ports used by kubernetes when allocating services
    79    # of type `NodePort` - internal
    80    ingress {
    81      from_port   = 30000
    82      to_port     = 32767
    83      protocol    = "tcp"
    84      cidr_blocks = ["0.0.0.0/0"]
    85      description = "kubernetes NodePort services"
    86    }
    87  
    88    # range of ports used by kubernetes when allocating services
    89    # of type `NodePort` - internal
    90    ingress {
    91      from_port   = 30000
    92      to_port     = 32767
    93      protocol    = "udp"
    94      cidr_blocks = ["0.0.0.0/0"]
    95      description = "kubernetes NodePort services"
    96    }
    97  }
    98