Skip to content

Latest commit

 

History

History
131 lines (95 loc) · 4.02 KB

10-add-nsg.md

File metadata and controls

131 lines (95 loc) · 4.02 KB

Add Network Security Group

If you have deployed Azure infra using Terraform script as part of this project, you might have noticed there is no security group attached to kubernetes-vnet. While this setup works fine for learning or development environment, it's always a best practice to secure the cluster.

In this post we will add Network Security Group (nsg) to our deployed infra on Azure.

Required Ports

We require following ports to be opened for kubernetes cluster to work.

Control-Plane node

Control Plane Node

Worker node

Worker Node

Source: Check required ports

Deploy Network Security Group

Go to the Terraform directory we had created during the Deploy Infra step.

{
cd terraform
ls
}

Output

deployazureinfra.tf    terraform.tfstate.backup
kubeadmin_ssh_privatekey.pem  terraform.tfstate

Download the nsg Terraform configuration file to this directory.

wget https://raw.githubusercontent.com/vyasanand/Kubernetes-deployments-and-add-ons/master/config/nsg.tf

Run the below command to validate the plan.

terraform.exe plan -var 'loc=southeastasia'

Output

Plan: 5 to add, 0 to change, 0 to destroy.

Run the below command to execute the plan and enter yes when prompted for input.

terraform.exe apply -var 'loc=southeastasia'

Output

Plan: 5 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes
  .
  . <Skipping the extra part here>
  .
  Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

Outputs:

tls_private_key = -----BEGIN RSA PRIVATE KEY-----
.
<Skipping the extra part here>

Validation

Run the below command to list the nsg rules.

{
az network nsg rule list -g kubernetes --nsg-name kubernetes-control-plane-nsg \
--query "[].{Name:name, Direction:direction, Priority:priority, Port:destinationPortRange}" -o table
az network nsg rule list -g kubernetes --nsg-name kubernetes-worker-nsg \
--query "[].{Name:name, Direction:direction, Priority:priority, Port:destinationPortRange}" -o table
}

Output

Name                                                Direction    Priority    Port
--------------------------------------------------  -----------  ----------  -----------
Kubelet_API_Kube_Scheduler_Kube_Controller_Manager  Inbound      120         10250-10252
SSH_Access                                          Inbound      130         22
Kubernetes_API_Server                               Inbound      100         6443
ETCD_Server_Client_API                              Inbound      110         2379-2380
Name                     Direction    Priority    Port
-----------------------  -----------  ----------  -----------
Node_Port_Service_Range  Inbound      110         30000-32767
Kubelet_API              Inbound      100         10250

Run the below command to validate SSH connectivity to the hosts.

for ip in `cat ~/ips.txt`
do
ssh -i kubeadmin_ssh_privatekey.pem kubeadmin@$ip "hostname -s"
done

Output

X11 forwarding request failed on channel 0
kubernetes-1
ssh: connect to host 52.139.198.193 port 22: Connection timed out
ssh: connect to host 52.139.198.189 port 22: Connection timed out

As expected you can only connect via SSH to Control-Plane node. You can access Worker nodes from it.

Next: Add a New Worker Node or Run the Validation Steps on kubernetes cluster to make sure nsg deployment doesn't cause any impact.