Added Hetzner firewall and fixed addresses

2021-09-01 00:37:11 +02:00
parent 6e9ee5855b
commit ca2bf4dc82
9 changed files with 122 additions and 57 deletions
--- a/main.tf
+++ b/main.tf
@@ -20,6 +20,65 @@ resource "hcloud_network_subnet" "k3s" {
  ip_range     = "10.0.0.0/16"
 }

+resource "hcloud_firewall" "k3s" {
+  name = "k3s-firewall"
+
+  # Internal cluster traffic, kube api server, kubelet metrics, cilium, etcd,
+  # and Hetzner metadata service and cloud api
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "any"
+    source_ips = [
+      "127.0.0.1/32",
+      "10.0.0.0/8",
+      "169.254.169.254/32",
+      "213.239.246.1/32"
+    ]
+  }
+  rule {
+    direction = "in"
+    protocol  = "udp"
+    port      = "any"
+    source_ips = [
+      "127.0.0.1/32",
+      "10.0.0.0/8",
+      "169.254.169.254/32",
+      "213.239.246.1/32"
+    ]
+  }
+  rule {
+    direction = "in"
+    protocol  = "icmp"
+    source_ips = [
+      "127.0.0.1/32",
+      "10.0.0.0/8",
+      "169.254.169.254/32",
+      "213.239.246.1/32"
+    ]
+  }
+
+  # Allow all traffic to the kube api server
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "6443"
+    source_ips = [
+      "0.0.0.0/0"
+    ]
+  }
+
+  # Allow all traffic to the ssh port
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "22"
+    source_ips = [
+      "0.0.0.0/0"
+    ]
+  }
+}
+
 data "hcloud_image" "linux" {
  name = "fedora-34"
 }
@@ -49,3 +108,7 @@ data "template_file" "ccm_manifest" {
 data "template_file" "upgrade_plan" {
  template = file("${path.module}/manifests/upgrade/plan.yaml")
 }
+
+locals {
+  first_control_plane_network_ip = cidrhost(hcloud_network.k3s.ip_range, 2)
+}