Merge pull request #1306 from cuppett/cuppett/network-cleanups

Removing unused/deprecated security groups and ports. Updated AWS doc
2026-02-06 00:48:45 +01:00 · 2019-02-27 01:44:41 +01:00
parent 8811e63e3f 3989d38f68
commit 563f71fdfb
5 changed files with 15 additions and 223 deletions
--- a/data/data/aws/vpc/outputs.tf
+++ b/data/data/aws/vpc/outputs.tf
@@ -18,14 +18,6 @@ output "worker_sg_id" {
  value = "${aws_security_group.worker.id}"
 }

-output "api_sg_id" {
-  value = "${aws_security_group.api.id}"
-}
-
-output "console_sg_id" {
-  value = "${aws_security_group.console.id}"
-}
-
 output "aws_lb_target_group_arns" {
  value = "${compact(concat(aws_lb_target_group.api_internal.*.arn, aws_lb_target_group.services.*.arn, aws_lb_target_group.api_external.*.arn))}"
 }
--- a/data/data/aws/vpc/sg-elb.tf
+++ b/data/data/aws/vpc/sg-elb.tf
@@ -1,75 +0,0 @@
-resource "aws_security_group" "api" {
-  vpc_id = "${data.aws_vpc.cluster_vpc.id}"
-
-  tags = "${merge(map(
-    "Name", "${var.cluster_id}-api-sg",
-  ), var.tags)}"
-}
-
-resource "aws_security_group_rule" "api_egress" {
-  type              = "egress"
-  security_group_id = "${aws_security_group.api.id}"
-
-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"]
-}
-
-resource "aws_security_group_rule" "api_ingress_console" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.api.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 6443
-  to_port     = 6443
-}
-
-resource "aws_security_group_rule" "mcs_ingress" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.api.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 22623
-  to_port     = 22623
-}
-
-resource "aws_security_group" "console" {
-  vpc_id = "${data.aws_vpc.cluster_vpc.id}"
-
-  tags = "${merge(map(
-      "Name", "${var.cluster_id}-console-sg",
-    ), var.tags)}"
-}
-
-resource "aws_security_group_rule" "console_egress" {
-  type              = "egress"
-  security_group_id = "${aws_security_group.console.id}"
-
-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"]
-}
-
-resource "aws_security_group_rule" "console_ingress_http" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.console.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 80
-  to_port     = 80
-}
-
-resource "aws_security_group_rule" "console_ingress_https" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.console.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 443
-  to_port     = 443
-}
--- a/data/data/aws/vpc/sg-master.tf
+++ b/data/data/aws/vpc/sg-master.tf
@@ -11,7 +11,7 @@ resource "aws_security_group_rule" "master_mcs" {
  security_group_id = "${aws_security_group.master.id}"

  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
  from_port   = 22623
  to_port     = 22623
 }
@@ -41,21 +41,11 @@ resource "aws_security_group_rule" "master_ingress_ssh" {
  security_group_id = "${aws_security_group.master.id}"

  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
  from_port   = 22
  to_port     = 22
 }

-resource "aws_security_group_rule" "master_ingress_http" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.master.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
-  from_port   = 80
-  to_port     = 80
-}
-
 resource "aws_security_group_rule" "master_ingress_https" {
  type              = "ingress"
  security_group_id = "${aws_security_group.master.id}"
@@ -63,27 +53,7 @@ resource "aws_security_group_rule" "master_ingress_https" {
  protocol    = "tcp"
  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
  from_port   = 6443
-  to_port     = 6445
-}
-
-resource "aws_security_group_rule" "master_ingress_heapster" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.master.id}"
-
-  protocol  = "tcp"
-  from_port = 4194
-  to_port   = 4194
-  self      = true
-}
-
-resource "aws_security_group_rule" "master_ingress_heapster_from_worker" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.master.id}"
-  source_security_group_id = "${aws_security_group.worker.id}"
-
-  protocol  = "tcp"
-  from_port = 4194
-  to_port   = 4194
+  to_port     = 6443
 }

 resource "aws_security_group_rule" "master_ingress_vxlan" {
@@ -166,33 +136,13 @@ resource "aws_security_group_rule" "master_ingress_kube_controller_manager_from_
  to_port   = 10252
 }

-resource "aws_security_group_rule" "master_ingress_kubelet_insecure" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.master.id}"
-
-  protocol  = "tcp"
-  from_port = 10250
-  to_port   = 10250
-  self      = true
-}
-
-resource "aws_security_group_rule" "master_ingress_kubelet_insecure_from_worker" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.master.id}"
-  source_security_group_id = "${aws_security_group.worker.id}"
-
-  protocol  = "tcp"
-  from_port = 10250
-  to_port   = 10250
-}
-
 resource "aws_security_group_rule" "master_ingress_kubelet_secure" {
  type              = "ingress"
  security_group_id = "${aws_security_group.master.id}"

  protocol  = "tcp"
-  from_port = 10255
-  to_port   = 10255
+  from_port = 10250
+  to_port   = 10250
  self      = true
 }

@@ -202,8 +152,8 @@ resource "aws_security_group_rule" "master_ingress_kubelet_secure_from_worker" {
  source_security_group_id = "${aws_security_group.worker.id}"

  protocol  = "tcp"
-  from_port = 10255
-  to_port   = 10255
+  from_port = 10250
+  to_port   = 10250
 }

 resource "aws_security_group_rule" "master_ingress_etcd" {
@@ -235,13 +185,3 @@ resource "aws_security_group_rule" "master_ingress_services" {
  to_port   = 32767
  self      = true
 }
-
-resource "aws_security_group_rule" "master_ingress_services_from_console" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.master.id}"
-  source_security_group_id = "${aws_security_group.console.id}"
-
-  protocol  = "tcp"
-  from_port = 30000
-  to_port   = 32767
-}
--- a/data/data/aws/vpc/sg-worker.tf
+++ b/data/data/aws/vpc/sg-worker.tf
@@ -31,51 +31,11 @@ resource "aws_security_group_rule" "worker_ingress_ssh" {
  security_group_id = "${aws_security_group.worker.id}"

  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
  from_port   = 22
  to_port     = 22
 }

-resource "aws_security_group_rule" "worker_ingress_http" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.worker.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 80
-  to_port     = 80
-}
-
-resource "aws_security_group_rule" "worker_ingress_https" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.worker.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 443
-  to_port     = 443
-}
-
-resource "aws_security_group_rule" "worker_ingress_heapster" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.worker.id}"
-
-  protocol  = "tcp"
-  from_port = 4194
-  to_port   = 4194
-  self      = true
-}
-
-resource "aws_security_group_rule" "worker_ingress_heapster_from_master" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.worker.id}"
-  source_security_group_id = "${aws_security_group.master.id}"
-
-  protocol  = "tcp"
-  from_port = 4194
-  to_port   = 4194
-}
-
 resource "aws_security_group_rule" "worker_ingress_vxlan" {
  type              = "ingress"
  security_group_id = "${aws_security_group.worker.id}"
@@ -136,26 +96,6 @@ resource "aws_security_group_rule" "worker_ingress_kubelet_insecure_from_master"
  to_port   = 10250
 }

-resource "aws_security_group_rule" "worker_ingress_kubelet_secure" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.worker.id}"
-
-  protocol  = "tcp"
-  from_port = 10255
-  to_port   = 10255
-  self      = true
-}
-
-resource "aws_security_group_rule" "worker_ingress_kubelet_secure_from_master" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.worker.id}"
-  source_security_group_id = "${aws_security_group.master.id}"
-
-  protocol  = "tcp"
-  from_port = 10255
-  to_port   = 10255
-}
-
 resource "aws_security_group_rule" "worker_ingress_services" {
  type              = "ingress"
  security_group_id = "${aws_security_group.worker.id}"
@@ -165,13 +105,3 @@ resource "aws_security_group_rule" "worker_ingress_services" {
  to_port   = 32767
  self      = true
 }
-
-resource "aws_security_group_rule" "worker_ingress_services_from_console" {
-  type                     = "ingress"
-  security_group_id        = "${aws_security_group.worker.id}"
-  source_security_group_id = "${aws_security_group.console.id}"
-
-  protocol  = "tcp"
-  from_port = 30000
-  to_port   = 32767
-}
--- a/docs/user/aws/limits.md
+++ b/docs/user/aws/limits.md
@@ -57,8 +57,13 @@ the new VPC. If you intend to create more than 20 clusters, you will need to req

 ## Security Groups

-Each cluster creates 10 distinct security groups. The default limit of 2,500 for new accounts allows for many clusters
-to be created.
+Each cluster creates distinct security groups. The default limit of 2,500 for new accounts allows for many clusters
+to be created. The security groups which exist after the default install are:
+
+  1. VPC default
+  1. Master
+  1. Worker
+  1. Router/Ingress

 ## Instance Limits