From 07ad5ecfcecdc2b7b2eeba1eaacbbef225059274 Mon Sep 17 00:00:00 2001
From: Fredrik Liv <fredrik.liv@elastisys.com>
Date: Thu, 1 Dec 2022 06:36:26 +0100
Subject: [PATCH] [upcloud] Fixed issue where DNS would be blocked while using
allowlist (#9510)
* [upcloud] Fixed issue where DNS would be blocked while using allowlist
* Missed one NTP rule
---
.../modules/kubernetes-cluster/main.tf | 68 +++++++++++++------
1 file changed, 48 insertions(+), 20 deletions(-)
diff --git a/contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf b/contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf
index c6d27ae82..afa801948 100644
--- a/contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf
+++ b/contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf
@@ -251,8 +251,8 @@ resource "upcloud_firewall_rules" "master" {
content {
action = "accept"
comment = "UpCloud DNS"
- destination_port_end = "53"
- destination_port_start = "53"
+ source_port_end = "53"
+ source_port_start = "53"
direction = "in"
family = "IPv4"
protocol = firewall_rule.value
@@ -267,8 +267,8 @@ resource "upcloud_firewall_rules" "master" {
content {
action = "accept"
comment = "UpCloud DNS"
- destination_port_end = "53"
- destination_port_start = "53"
+ source_port_end = "53"
+ source_port_start = "53"
direction = "in"
family = "IPv4"
protocol = firewall_rule.value
@@ -283,8 +283,8 @@ resource "upcloud_firewall_rules" "master" {
content {
action = "accept"
comment = "UpCloud DNS"
- destination_port_end = "53"
- destination_port_start = "53"
+ source_port_end = "53"
+ source_port_start = "53"
direction = "in"
family = "IPv6"
protocol = firewall_rule.value
@@ -299,8 +299,8 @@ resource "upcloud_firewall_rules" "master" {
content {
action = "accept"
comment = "UpCloud DNS"
- destination_port_end = "53"
- destination_port_start = "53"
+ source_port_end = "53"
+ source_port_start = "53"
direction = "in"
family = "IPv6"
protocol = firewall_rule.value
@@ -315,8 +315,8 @@ resource "upcloud_firewall_rules" "master" {
content {
action = "accept"
comment = "NTP Port"
- destination_port_end = "123"
- destination_port_start = "123"
+ source_port_end = "123"
+ source_port_start = "123"
direction = "in"
family = "IPv4"
protocol = firewall_rule.value
@@ -325,6 +325,20 @@ resource "upcloud_firewall_rules" "master" {
}
}
+ dynamic firewall_rule {
+ for_each = var.firewall_default_deny_in ? ["udp"] : []
+
+ content {
+ action = "accept"
+ comment = "NTP Port"
+ source_port_end = "123"
+ source_port_start = "123"
+ direction = "in"
+ family = "IPv6"
+ protocol = firewall_rule.value
+ }
+ }
+
firewall_rule {
action = var.firewall_default_deny_in ? "drop" : "accept"
direction = "in"
@@ -394,8 +408,8 @@ resource "upcloud_firewall_rules" "k8s" {
content {
action = "accept"
comment = "UpCloud DNS"
- destination_port_end = "53"
- destination_port_start = "53"
+ source_port_end = "53"
+ source_port_start = "53"
direction = "in"
family = "IPv4"
protocol = firewall_rule.value
@@ -410,8 +424,8 @@ resource "upcloud_firewall_rules" "k8s" {
content {
action = "accept"
comment = "UpCloud DNS"
- destination_port_end = "53"
- destination_port_start = "53"
+ source_port_end = "53"
+ source_port_start = "53"
direction = "in"
family = "IPv4"
protocol = firewall_rule.value
@@ -426,8 +440,8 @@ resource "upcloud_firewall_rules" "k8s" {
content {
action = "accept"
comment = "UpCloud DNS"
- destination_port_end = "53"
- destination_port_start = "53"
+ source_port_end = "53"
+ source_port_start = "53"
direction = "in"
family = "IPv6"
protocol = firewall_rule.value
@@ -442,8 +456,8 @@ resource "upcloud_firewall_rules" "k8s" {
content {
action = "accept"
comment = "UpCloud DNS"
- destination_port_end = "53"
- destination_port_start = "53"
+ source_port_end = "53"
+ source_port_start = "53"
direction = "in"
family = "IPv6"
protocol = firewall_rule.value
@@ -458,8 +472,8 @@ resource "upcloud_firewall_rules" "k8s" {
content {
action = "accept"
comment = "NTP Port"
- destination_port_end = "123"
- destination_port_start = "123"
+ source_port_end = "123"
+ source_port_start = "123"
direction = "in"
family = "IPv4"
protocol = firewall_rule.value
@@ -468,6 +482,20 @@ resource "upcloud_firewall_rules" "k8s" {
}
}
+ dynamic firewall_rule {
+ for_each = var.firewall_default_deny_in ? ["udp"] : []
+
+ content {
+ action = "accept"
+ comment = "NTP Port"
+ source_port_end = "123"
+ source_port_start = "123"
+ direction = "in"
+ family = "IPv6"
+ protocol = firewall_rule.value
+ }
+ }
+
firewall_rule {
action = var.firewall_default_deny_in ? "drop" : "accept"
direction = "in"
--
GitLab