update shadow firewall support #741
Merged
+798
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ericyz
requested review from
bharathkkb,
Jberlinsky and
a team
as code owners
|
Thanks for the PR! 🚀 |
|
@ericyz Please rebase on master. |
ericyz
force-pushed
the
feature/shadow-firewall
branch
from
217bf8d to
685a2db
Compare
ericyz
force-pushed
the
feature/shadow-firewall
branch
from
984b9db to
afe3d90
Compare
|
Hey team, any feedback on this PR? |
…-google-kubernetes-engine into feature/shadow-firewall
|
Hi @morgante , I have added more descriptions to the TF variables. The purpose of shadow firewall is to gain more network insight of the packages flowing between GKE worker and master nodes. |
morgante
suggested changes
Jan 11, 2021
autogen/main/variables.tf.tmpl
Outdated
| default = false | ||
| } | ||
|
|
||
| variable "firewall_priority" { | ||
| type = number | ||
| description = "Priority rule for firewall rules" | ||
| description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall." |
There was a problem hiding this comment.
Suggested change
| description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall." | |
| description = "The firewall priority of custom cluster firewall rules. |
autogen/main/variables.tf.tmpl
Outdated
| @@ -545,13 +545,13 @@ variable "enable_binary_authorization" { | |||
|
|
|||
| variable "add_cluster_firewall_rules" { | |||
| type = bool | |||
| description = "Create additional firewall rules" | |||
| description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled." | |||
There was a problem hiding this comment.
Suggested change
| description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled." | |
| description = "Create additional firewall rules for common GKE tasks." |
firewall.tf
Outdated
| count = var.add_shadow_firewall_rules ? 1 : 0 | ||
|
|
||
| name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" | ||
| description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication." |
There was a problem hiding this comment.
Suggested change
| description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication." | |
| description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." |
ericyz
force-pushed
the
feature/shadow-firewall
branch
3 times, most recently
from
8c4840e to
8f0a90d
Compare
ericyz
force-pushed
the
feature/shadow-firewall
branch
from
844287a to
4f5f6f6
Compare
morgante
suggested changes
Feb 10, 2021
|
Thanks @morgante for updating my typo. Please review and let me know anything to update for the merge. |
morgante
approved these changes
Feb 16, 2021
CPL-markus
pushed a commit
to WALTER-GROUP/terraform-google-kubernetes-engine
that referenced
this pull request
Jul 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The goal of this PR is to add visibility of the traffic between the Google-managed default GKE firewall. The context of the request is that there are some compliance-driven requirements to capture all the inter-node traffics, which doesn't provide by the default GKE firewalls out of box.
The solution including in this PR can be described as: