From d1f05f8fc94bbbdae4db60fcf927cc2bb58da397 Mon Sep 17 00:00:00 2001 From: etwillbefine Date: Wed, 2 Sep 2020 19:19:43 +0200 Subject: [PATCH 1/3] make deny-all optional, allow specifying types allow-policy applies to --- network-policies.tf | 10 +++++----- variables.tf | 12 ++++++++++++ 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/network-policies.tf b/network-policies.tf index 0d3e5a4..b98c923 100644 --- a/network-policies.tf +++ b/network-policies.tf @@ -1,6 +1,6 @@ resource "kubernetes_network_policy" "deny_all" { - count = var.enable_network_policies ? 1 : 0 + count = var.enable_network_policies && var.network_deny_all_policy ? 1 : 0 metadata { name = "deny-all" @@ -14,16 +14,16 @@ resource "kubernetes_network_policy" "deny_all" { } } -resource "kubernetes_network_policy" "allow_http" { - count = var.enable_network_policies ? 1 : 0 +resource "kubernetes_network_policy" "allow" { + count = var.enable_network_policies && length(var.network_policy_types) > 0 ? 1 : 0 metadata { - name = "http" + name = "allow-custom" namespace = kubernetes_namespace.namespace.metadata.0.name } spec { - policy_types = ["Ingress", "Egress"] + policy_types = [var.network_policy_types] pod_selector {} ingress { diff --git a/variables.tf b/variables.tf index 52de989..411024f 100644 --- a/variables.tf +++ b/variables.tf @@ -125,6 +125,18 @@ variable "enable_network_policies" { description = "Deploys additional kubernetes network policies for the namespace created" } +variable "network_policy_types" { + type = list(string) + default = ["Egress", "Ingress"] + description = "Network Policy Types the Allow Rule will apply to. When choosing for example only Egress without a Deny Policy it will be allowed." +} + +variable "network_deny_all_policy" { + type = bool + default = false + description = "Deploys a Deny-All Network Policy. Only granted CIDRs and Namespaces will be allowed." +} + variable "http_egress_namespaces" { type = list(string) default = ["default", "cluster"] From a99e161d5c2c6d11e046116603fc9858cd707e98 Mon Sep 17 00:00:00 2001 From: etwillbefine Date: Wed, 2 Sep 2020 19:22:03 +0200 Subject: [PATCH 2/3] change defaults to no policy by default, by deny-all by default when enabled --- variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/variables.tf b/variables.tf index 411024f..a137569 100644 --- a/variables.tf +++ b/variables.tf @@ -121,7 +121,7 @@ variable "pod_security_policy_groups" { variable "enable_network_policies" { type = bool - default = true + default = false description = "Deploys additional kubernetes network policies for the namespace created" } @@ -133,7 +133,7 @@ variable "network_policy_types" { variable "network_deny_all_policy" { type = bool - default = false + default = true description = "Deploys a Deny-All Network Policy. Only granted CIDRs and Namespaces will be allowed." } From 54fb59baca43676e65310cbb8c537954d0064a33 Mon Sep 17 00:00:00 2001 From: etwillbefine Date: Wed, 2 Sep 2020 19:22:31 +0200 Subject: [PATCH 3/3] correct type passed to policy types --- network-policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network-policies.tf b/network-policies.tf index b98c923..eb10bf6 100644 --- a/network-policies.tf +++ b/network-policies.tf @@ -23,7 +23,7 @@ resource "kubernetes_network_policy" "allow" { } spec { - policy_types = [var.network_policy_types] + policy_types = var.network_policy_types pod_selector {} ingress {