Skip to content

Commit

Permalink
Merge pull request #1306 from cuppett/cuppett/network-cleanups
Browse files Browse the repository at this point in the history 
Removing unused/deprecated security groups and ports. Updated AWS doc
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot committed Feb 27, 2019
2 parents 8811e63 + 3989d38 commit 563f71f
Show file tree
Hide file tree
Showing 5 changed files with 13 additions and 221 deletions.
8 changes: 0 additions & 8 deletions data/data/aws/vpc/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,6 @@ output "worker_sg_id" {
value = "${aws_security_group.worker.id}"
}

output "api_sg_id" {
value = "${aws_security_group.api.id}"
}

output "console_sg_id" {
value = "${aws_security_group.console.id}"
}

output "aws_lb_target_group_arns" {
value = "${compact(concat(aws_lb_target_group.api_internal.*.arn, aws_lb_target_group.services.*.arn, aws_lb_target_group.api_external.*.arn))}"
}
Expand Down
75 changes: 0 additions & 75 deletions data/data/aws/vpc/sg-elb.tf
View file

This file was deleted.

70 changes: 5 additions & 65 deletions data/data/aws/vpc/sg-master.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ resource "aws_security_group_rule" "master_mcs" {
security_group_id = "${aws_security_group.master.id}"

protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
from_port = 22623
to_port = 22623
}
Expand Down Expand Up @@ -41,49 +41,19 @@ resource "aws_security_group_rule" "master_ingress_ssh" {
security_group_id = "${aws_security_group.master.id}"

protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
from_port = 22
to_port = 22
}

resource "aws_security_group_rule" "master_ingress_http" {
type = "ingress"
security_group_id = "${aws_security_group.master.id}"

protocol = "tcp"
cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
from_port = 80
to_port = 80
}

resource "aws_security_group_rule" "master_ingress_https" {
type = "ingress"
security_group_id = "${aws_security_group.master.id}"

protocol = "tcp"
cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
from_port = 6443
to_port = 6445
}

resource "aws_security_group_rule" "master_ingress_heapster" {
type = "ingress"
security_group_id = "${aws_security_group.master.id}"

protocol = "tcp"
from_port = 4194
to_port = 4194
self = true
}

resource "aws_security_group_rule" "master_ingress_heapster_from_worker" {
type = "ingress"
security_group_id = "${aws_security_group.master.id}"
source_security_group_id = "${aws_security_group.worker.id}"

protocol = "tcp"
from_port = 4194
to_port = 4194
to_port = 6443
}

resource "aws_security_group_rule" "master_ingress_vxlan" {
Expand Down Expand Up @@ -166,7 +136,7 @@ resource "aws_security_group_rule" "master_ingress_kube_controller_manager_from_
to_port = 10252
}

resource "aws_security_group_rule" "master_ingress_kubelet_insecure" {
resource "aws_security_group_rule" "master_ingress_kubelet_secure" {
type = "ingress"
security_group_id = "${aws_security_group.master.id}"

Expand All @@ -176,7 +146,7 @@ resource "aws_security_group_rule" "master_ingress_kubelet_insecure" {
self = true
}

resource "aws_security_group_rule" "master_ingress_kubelet_insecure_from_worker" {
resource "aws_security_group_rule" "master_ingress_kubelet_secure_from_worker" {
type = "ingress"
security_group_id = "${aws_security_group.master.id}"
source_security_group_id = "${aws_security_group.worker.id}"
Expand All @@ -186,26 +156,6 @@ resource "aws_security_group_rule" "master_ingress_kubelet_insecure_from_worker"
to_port = 10250
}

resource "aws_security_group_rule" "master_ingress_kubelet_secure" {
type = "ingress"
security_group_id = "${aws_security_group.master.id}"

protocol = "tcp"
from_port = 10255
to_port = 10255
self = true
}

resource "aws_security_group_rule" "master_ingress_kubelet_secure_from_worker" {
type = "ingress"
security_group_id = "${aws_security_group.master.id}"
source_security_group_id = "${aws_security_group.worker.id}"

protocol = "tcp"
from_port = 10255
to_port = 10255
}

resource "aws_security_group_rule" "master_ingress_etcd" {
type = "ingress"
security_group_id = "${aws_security_group.master.id}"
Expand Down Expand Up @@ -235,13 +185,3 @@ resource "aws_security_group_rule" "master_ingress_services" {
to_port = 32767
self = true
}

resource "aws_security_group_rule" "master_ingress_services_from_console" {
type = "ingress"
security_group_id = "${aws_security_group.master.id}"
source_security_group_id = "${aws_security_group.console.id}"

protocol = "tcp"
from_port = 30000
to_port = 32767
}
72 changes: 1 addition & 71 deletions data/data/aws/vpc/sg-worker.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,51 +31,11 @@ resource "aws_security_group_rule" "worker_ingress_ssh" {
security_group_id = "${aws_security_group.worker.id}"

protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
from_port = 22
to_port = 22
}

resource "aws_security_group_rule" "worker_ingress_http" {
type = "ingress"
security_group_id = "${aws_security_group.worker.id}"

protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
from_port = 80
to_port = 80
}

resource "aws_security_group_rule" "worker_ingress_https" {
type = "ingress"
security_group_id = "${aws_security_group.worker.id}"

protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
from_port = 443
to_port = 443
}

resource "aws_security_group_rule" "worker_ingress_heapster" {
type = "ingress"
security_group_id = "${aws_security_group.worker.id}"

protocol = "tcp"
from_port = 4194
to_port = 4194
self = true
}

resource "aws_security_group_rule" "worker_ingress_heapster_from_master" {
type = "ingress"
security_group_id = "${aws_security_group.worker.id}"
source_security_group_id = "${aws_security_group.master.id}"

protocol = "tcp"
from_port = 4194
to_port = 4194
}

resource "aws_security_group_rule" "worker_ingress_vxlan" {
type = "ingress"
security_group_id = "${aws_security_group.worker.id}"
Expand Down Expand Up @@ -136,26 +96,6 @@ resource "aws_security_group_rule" "worker_ingress_kubelet_insecure_from_master"
to_port = 10250
}

resource "aws_security_group_rule" "worker_ingress_kubelet_secure" {
type = "ingress"
security_group_id = "${aws_security_group.worker.id}"

protocol = "tcp"
from_port = 10255
to_port = 10255
self = true
}

resource "aws_security_group_rule" "worker_ingress_kubelet_secure_from_master" {
type = "ingress"
security_group_id = "${aws_security_group.worker.id}"
source_security_group_id = "${aws_security_group.master.id}"

protocol = "tcp"
from_port = 10255
to_port = 10255
}

resource "aws_security_group_rule" "worker_ingress_services" {
type = "ingress"
security_group_id = "${aws_security_group.worker.id}"
Expand All @@ -165,13 +105,3 @@ resource "aws_security_group_rule" "worker_ingress_services" {
to_port = 32767
self = true
}

resource "aws_security_group_rule" "worker_ingress_services_from_console" {
type = "ingress"
security_group_id = "${aws_security_group.worker.id}"
source_security_group_id = "${aws_security_group.console.id}"

protocol = "tcp"
from_port = 30000
to_port = 32767
}
9 changes: 7 additions & 2 deletions docs/user/aws/limits.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,13 @@ the new VPC. If you intend to create more than 20 clusters, you will need to req

## Security Groups

Each cluster creates 10 distinct security groups. The default limit of 2,500 for new accounts allows for many clusters
to be created.
Each cluster creates distinct security groups. The default limit of 2,500 for new accounts allows for many clusters
to be created. The security groups which exist after the default install are:

1. VPC default
1. Master
1. Worker
1. Router/Ingress

## Instance Limits

Expand Down

0 comments on commit 563f71f

Please sign in to comment.