fix: Add missing NSG rules for VCN-Native Pod Networking (#563)

devoncrouse · web-flow · commit b59a36bbcd84 · 2022-09-07T19:47:55.000+10:00
Add missing NSG rules for VCN-Native Pod Networking Changed to reflect https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengnetworkconfig.htm#securitylistconfig: * Moved `oci_core_network_security_group_security_rule.workers_egress_flannel` to CNI-agnostic `local.workers_egress` for node to node. * Added `oci_core_network_security_group_security_rule.workers_ingress_npn` for pod to worker. * Added `oci_core_network_security_group_security_rule.pods_ingress"` for CP to pod, worker to pod, and pod to pod (`local.pods_ingress` existed for them but was not yet referenced). * Added to TCP 6443 to `local.pods_egress` for pod to CP. * Updated `oci_core_network_security_group_security_rule.pods_egress_internet` from tcp -> all protocols. * Updated some NSG rule descriptions to clarify usage. * Added NPN conditional to `oci_core_network_security_group.pods`. Signed-off-by: Devon Crouse <devon.crouse@oracle.com>
diff --git a/modules/network/locals.tf b/modules/network/locals.tf
@@ -2,6 +2,8 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 locals {
+  # VCN subnet configuration
+  # See https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengnetworkconfig.htm#vcnconfig
 
   # first vcn cidr
   # pick the first cidr block in the list as this is where we will create the oke subnets
@@ -54,9 +56,11 @@ locals {
     waf_subnet.cidr
   ] : []
 
+  # Security configuration
+  # See https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengnetworkconfig.htm#securitylistconfig
   # if port = -1, allow all ports
 
-  #control plane seclist
+  # Security List rules for control plane subnet (Flannel & VCN-Native Pod networking)
   cp_egress_seclist = [
     {
       description      = "Allow Bastion service to communicate to the control plane endpoint. Required for when using OCI Bastion service.",
@@ -78,7 +82,8 @@ locals {
       stateless   = false
     }
   ]
-  # control plane
+
+  # Network Security Group egress rules for control plane subnet (Flannel & VCN-Native Pod networking)
   cp_egress = [
     {
       description      = "Allow Kubernetes Control plane to communicate to the control plane subnet. Required for when using OCI Bastion service.",
@@ -114,6 +119,7 @@ locals {
     },
   ]
 
+  # Network Security Group ingress rules for control plane subnet (Flannel & VCN-Native Pod networking)
   cp_ingress = [
     {
       description = "Allow worker nodes to control plane API endpoint communication"
@@ -149,8 +155,16 @@ locals {
     },
   ]
 
-  # workers
+  # Network Security Group egress rules for workers subnet (Flannel & VCN-Native Pod networking)
   workers_egress = [
+    {
+      description      = "Allows communication from (or to) worker nodes.",
+      destination      = local.workers_subnet
+      destination_type = "CIDR_BLOCK",
+      protocol         = local.all_protocols,
+      port             = -1,
+      stateless        = false
+    },
     {
       description      = "Allow ICMP traffic for path discovery",
       destination      = local.anywhere
@@ -185,6 +199,7 @@ locals {
     }
   ]
 
+  # Network Security Group ingress rules for workers subnet (Flannel & VCN-Native Pod networking)
   workers_ingress = [
     {
       description = "Allow ingress for all traffic to allow pods to communicate between each other on different worker nodes on the worker subnet",
@@ -213,6 +228,7 @@ locals {
     }
   ]
 
+  # Network Security Group egress rules for pods subnet (VCN-Native Pod networking only)
   pods_egress = [
     {
       description      = "Allow pods to communicate with other pods.",
@@ -238,19 +254,28 @@ locals {
       port             = -1,
       stateless        = false
     },
+    {
+      description      = "Allow pods to communicate with Kubernetes API server",
+      destination      = local.cp_subnet,
+      destination_type = "CIDR_BLOCK",
+      protocol         = local.tcp_protocol,
+      port             = 6443,
+      stateless        = false
+    }
   ]
 
+  # Network Security Group ingress rules for pods subnet (VCN-Native Pod networking only)
   pods_ingress = [
     {
-      description = "Allow worker nodes to access pods.",
+      description = "Allow Kubernetes control plane to communicate with webhooks served by pods",
       protocol    = local.all_protocols,
       port        = -1,
       source      = local.cp_subnet,
       source_type = "CIDR_BLOCK",
       stateless   = false
     },
     {
-      description = "Allow Kubernetes Control Plane to communicate with pods.",
+      description = "Allow cross-node pod communication when using NodePorts or hostNetwork: true",
       protocol    = local.all_protocols,
       port        = -1,
       source      = local.workers_subnet,
@@ -267,6 +292,7 @@ locals {
     },
   ]
 
+  # Network Security Group rules for load balancer subnet
   int_lb_egress = [
     {
       description      = "Allow stateful egress to workers. Required for NodePorts",
diff --git a/modules/network/nsgs.tf b/modules/network/nsgs.tf
@@ -149,19 +149,6 @@ resource "oci_core_network_security_group_security_rule" "workers_egress" {
   count = length(local.workers_egress)
 }
 
-resource "oci_core_network_security_group_security_rule" "workers_egress_flannel" {
-  network_security_group_id = oci_core_network_security_group.workers.id
-  description               = "Allow egress for all traffic to allow pods to communicate between each other on different worker nodes on the worker subnet"
-  destination               = local.workers_subnet
-  destination_type          = "CIDR_BLOCK"
-  direction                 = "EGRESS"
-  protocol                  = local.all_protocols
-
-  stateless = false
-
-  count = var.cni_type == "flannel" ? 1: 0
-}
-
 resource "oci_core_network_security_group_security_rule" "workers_egress_npn" {
   network_security_group_id = oci_core_network_security_group.workers.id
   description               = "Allow worker nodes access to pods"
@@ -307,6 +294,17 @@ resource "oci_core_network_security_group_security_rule" "workers_healthcheck_in
 
 }
 
+resource "oci_core_network_security_group_security_rule" "workers_ingress_npn" {
+  network_security_group_id = oci_core_network_security_group.workers.id
+  description               = "Allow cross-node pod communication when using NodePorts or hostNetwork: true"
+  direction                 = "INGRESS"
+  protocol                  = local.all_protocols
+  source                    = local.pods_subnet
+  source_type               = "CIDR_BLOCK"
+  stateless                 = false
+  count                     = var.cni_type == "npn" ? 1 : 0
+}
+
 resource "oci_core_network_security_group_security_rule" "workers_ssh_ingress_from_bastion" {
   network_security_group_id = oci_core_network_security_group.workers.id
   description               = "Allow ssh access to workers via Bastion host"
@@ -333,6 +331,7 @@ resource "oci_core_network_security_group" "pods" {
   compartment_id = var.compartment_id
   display_name   = var.label_prefix == "none" ? "pods" : "${var.label_prefix}-pods"
   vcn_id         = var.vcn_id
+  count          = var.cni_type == "npn" ? 1 : 0
 }
 
 resource "oci_core_network_security_group_security_rule" "pods_egress" {
@@ -366,14 +365,25 @@ resource "oci_core_network_security_group_security_rule" "pods_egress" {
   count = var.cni_type =="npn" ? length(local.pods_egress) : 0
 }
 
+resource "oci_core_network_security_group_security_rule" "pods_ingress" {
+  network_security_group_id = oci_core_network_security_group.pods.id
+  description               = local.pods_ingress[count.index].description
+  source                    = local.pods_ingress[count.index].source
+  source_type               = local.pods_ingress[count.index].source_type
+  protocol                  = local.pods_ingress[count.index].protocol
+  direction                 = "INGRESS"
+  stateless                 = false
+  count                     = var.cni_type =="npn" ? length(local.pods_ingress) : 0
+}
+
 # add this rule separately so it can be controlled independently
 resource "oci_core_network_security_group_security_rule" "pods_egress_internet" {
   network_security_group_id = oci_core_network_security_group.pods.id
   description               = "Allow pods access to Internet"
   destination               = local.anywhere
   destination_type          = "CIDR_BLOCK"
   direction                 = "EGRESS"
-  protocol                  = local.tcp_protocol
+  protocol                  = local.all_protocols
 
   stateless = false
   count = (var.cni_type =="npn" && var.allow_pod_internet_access == true) ? 1 : 0

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,8 @@`
`2`	`2`	`# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl`
`3`	`3`
`4`	`4`	`locals {`
	`5`	`+ # VCN subnet configuration`
	`6`	`+ # See https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengnetworkconfig.htm#vcnconfig`
`5`	`7`
`6`	`8`	`# first vcn cidr`
`7`	`9`	`# pick the first cidr block in the list as this is where we will create the oke subnets`
`@@ -54,9 +56,11 @@ locals {`
`54`	`56`	`waf_subnet.cidr`
`55`	`57`	`] : []`
`56`	`58`
	`59`	`+ # Security configuration`
	`60`	`+ # See https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengnetworkconfig.htm#securitylistconfig`
`57`	`61`	`# if port = -1, allow all ports`
`58`	`62`
`59`		`- #control plane seclist`
	`63`	`+ # Security List rules for control plane subnet (Flannel & VCN-Native Pod networking)`
`60`	`64`	`cp_egress_seclist = [`
`61`	`65`	`{`
`62`	`66`	`description = "Allow Bastion service to communicate to the control plane endpoint. Required for when using OCI Bastion service.",`
`@@ -78,7 +82,8 @@ locals {`
`78`	`82`	`stateless = false`
`79`	`83`	`}`
`80`	`84`	`]`
`81`		`- # control plane`
	`85`	`+`
	`86`	`+ # Network Security Group egress rules for control plane subnet (Flannel & VCN-Native Pod networking)`
`82`	`87`	`cp_egress = [`
`83`	`88`	`{`
`84`	`89`	`description = "Allow Kubernetes Control plane to communicate to the control plane subnet. Required for when using OCI Bastion service.",`
`@@ -114,6 +119,7 @@ locals {`
`114`	`119`	`},`
`115`	`120`	`]`
`116`	`121`
	`122`	`+ # Network Security Group ingress rules for control plane subnet (Flannel & VCN-Native Pod networking)`
`117`	`123`	`cp_ingress = [`
`118`	`124`	`{`
`119`	`125`	`description = "Allow worker nodes to control plane API endpoint communication"`
`@@ -149,8 +155,16 @@ locals {`
`149`	`155`	`},`
`150`	`156`	`]`
`151`	`157`
`152`		`- # workers`
	`158`	`+ # Network Security Group egress rules for workers subnet (Flannel & VCN-Native Pod networking)`
`153`	`159`	`workers_egress = [`
	`160`	`+ {`
	`161`	`+ description = "Allows communication from (or to) worker nodes.",`
	`162`	`+ destination = local.workers_subnet`
	`163`	`+ destination_type = "CIDR_BLOCK",`
	`164`	`+ protocol = local.all_protocols,`
	`165`	`+ port = -1,`
	`166`	`+ stateless = false`
	`167`	`+ },`
`154`	`168`	`{`
`155`	`169`	`description = "Allow ICMP traffic for path discovery",`
`156`	`170`	`destination = local.anywhere`
`@@ -185,6 +199,7 @@ locals {`
`185`	`199`	`}`
`186`	`200`	`]`
`187`	`201`
	`202`	`+ # Network Security Group ingress rules for workers subnet (Flannel & VCN-Native Pod networking)`
`188`	`203`	`workers_ingress = [`
`189`	`204`	`{`
`190`	`205`	`description = "Allow ingress for all traffic to allow pods to communicate between each other on different worker nodes on the worker subnet",`
`@@ -213,6 +228,7 @@ locals {`
`213`	`228`	`}`
`214`	`229`	`]`
`215`	`230`
	`231`	`+ # Network Security Group egress rules for pods subnet (VCN-Native Pod networking only)`
`216`	`232`	`pods_egress = [`
`217`	`233`	`{`
`218`	`234`	`description = "Allow pods to communicate with other pods.",`
`@@ -238,19 +254,28 @@ locals {`
`238`	`254`	`port = -1,`
`239`	`255`	`stateless = false`
`240`	`256`	`},`
	`257`	`+ {`
	`258`	`+ description = "Allow pods to communicate with Kubernetes API server",`
	`259`	`+ destination = local.cp_subnet,`
	`260`	`+ destination_type = "CIDR_BLOCK",`
	`261`	`+ protocol = local.tcp_protocol,`
	`262`	`+ port = 6443,`
	`263`	`+ stateless = false`
	`264`	`+ }`
`241`	`265`	`]`
`242`	`266`
	`267`	`+ # Network Security Group ingress rules for pods subnet (VCN-Native Pod networking only)`
`243`	`268`	`pods_ingress = [`
`244`	`269`	`{`
`245`		`- description = "Allow worker nodes to access pods.",`
	`270`	`+ description = "Allow Kubernetes control plane to communicate with webhooks served by pods",`
`246`	`271`	`protocol = local.all_protocols,`
`247`	`272`	`port = -1,`
`248`	`273`	`source = local.cp_subnet,`
`249`	`274`	`source_type = "CIDR_BLOCK",`
`250`	`275`	`stateless = false`
`251`	`276`	`},`
`252`	`277`	`{`
`253`		`- description = "Allow Kubernetes Control Plane to communicate with pods.",`
	`278`	`+ description = "Allow cross-node pod communication when using NodePorts or hostNetwork: true",`
`254`	`279`	`protocol = local.all_protocols,`
`255`	`280`	`port = -1,`
`256`	`281`	`source = local.workers_subnet,`
`@@ -267,6 +292,7 @@ locals {`
`267`	`292`	`},`
`268`	`293`	`]`
`269`	`294`
	`295`	`+ # Network Security Group rules for load balancer subnet`
`270`	`296`	`int_lb_egress = [`
`271`	`297`	`{`
`272`	`298`	`description = "Allow stateful egress to workers. Required for NodePorts",`