Commit 63d08059 authored by John Skarbek's avatar John Skarbek

Locks down Kubernetes API from specific IP's

* This will prevent cluster API operations from being accessible outside
of the IP addresses provided
* The addresses in this commit are the IP's for the console servers in
their respective environment, plus the address for which our ops runner
utilizes for deploys
* This upgrades the module such that we can utilize more than one CIDR
range
* Using the IP's assigned to that of the nodes instead of a range since
the IP's that are assigned nodes can vary widely
* By default, this module was previously allowing traffic on CIDR
0.0.0.0/0
  * This range will be replaced with those mentioned above
* This is only a change of the cluster configuration and does not
perform anything destructive
* If the IP's change for any of these nodes, this configuration MUST be
updated
parent ec14cb8c
......@@ -1823,7 +1823,13 @@ module "gitlab-gke" {
name = "gitlab-gke"
environment = var.environment
vpc = module.network.self_link
source = "git::ssh://git@ops.gitlab.net/gitlab-com/gl-infra/terraform-modules/google/gke.git?ref=v6.1.0"
source = "git::ssh://git@ops.gitlab.net/gitlab-com/gl-infra/terraform-modules/google/gke.git?ref=v7.0.0"
authorized_master_access = [
"35.229.103.65/32", # console-01-sv-gprd
"35.185.18.176/32", # runner-01-inf-ops
]
ip_cidr_range = var.subnetworks["gitlab-gke"]
disable_network_policy = "false"
dns_zone_name = var.dns_zone_name
......
......@@ -1912,7 +1912,13 @@ module "gitlab-gke" {
environment = var.environment
name = "gitlab-gke"
vpc = module.network.self_link
source = "git::ssh://git@ops.gitlab.net/gitlab-com/gl-infra/terraform-modules/google/gke.git?ref=v6.1.0"
source = "git::ssh://git@ops.gitlab.net/gitlab-com/gl-infra/terraform-modules/google/gke.git?ref=v7.0.0"
authorized_master_access = [
"35.231.92.80/32", # console-01-sv-gstg
"35.185.18.176/32", # runner-01-inf-ops
]
ip_cidr_range = var.subnetworks["gitlab-gke"]
disable_network_policy = "false"
dns_zone_name = var.dns_zone_name
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment