Merge pull request 'K8s security hardening + scaling to 16 CPU / 64GB / 1TB' (#65) from k8s-hardening-scaling into main
This commit is contained in:
commit
a58f11eaf3
@ -1,21 +1,33 @@
|
||||
# Kubernetes PoC cluster — Phase 6
|
||||
# 2 VMs on NAT bridge vmbr0 (10.10.10.200-201)
|
||||
# kubeadm + containerd + Calico
|
||||
# Kubernetes cluster — Phase 6
|
||||
# VMs on NAT bridge vmbr0 (10.10.10.200-202)
|
||||
# kubeadm v1.31 + containerd + Calico
|
||||
#
|
||||
# Access: DNAT 6443 from bare_srv_1 public IP → k8s-master
|
||||
# Firewall: Proxmox FW on node level restricts 6443 to control plane IP
|
||||
#
|
||||
# Cloud image dependency: proxmox_virtual_environment_download_file.ubuntu_2404_cloud (in main.tf)
|
||||
# Access: SSH tunnel from control plane (k8s-tunnel.service)
|
||||
# Monitoring: DNAT 9200-9202 from control plane IP only
|
||||
# No public DNAT for K8s API or ArgoCD — security hardened
|
||||
|
||||
locals {
|
||||
k8s_nodes = {
|
||||
"k8s-master" = {
|
||||
vm_id = 300
|
||||
ip_address = "10.10.10.200"
|
||||
cpu_cores = 4
|
||||
ram_mb = 16384
|
||||
disk_gb = 100
|
||||
}
|
||||
"k8s-worker-01" = {
|
||||
vm_id = 301
|
||||
ip_address = "10.10.10.201"
|
||||
cpu_cores = 6
|
||||
ram_mb = 24576
|
||||
disk_gb = 450
|
||||
}
|
||||
"k8s-worker-02" = {
|
||||
vm_id = 302
|
||||
ip_address = "10.10.10.202"
|
||||
cpu_cores = 6
|
||||
ram_mb = 24576
|
||||
disk_gb = 450
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -27,33 +39,18 @@ module "k8s_node" {
|
||||
name = each.key
|
||||
vm_id = each.value.vm_id
|
||||
ip_address = each.value.ip_address
|
||||
cpu_cores = each.value.cpu_cores
|
||||
ram_mb = each.value.ram_mb
|
||||
disk_gb = each.value.disk_gb
|
||||
|
||||
depends_on = [proxmox_virtual_environment_download_file.ubuntu_2404_cloud]
|
||||
}
|
||||
|
||||
# ─── Proxmox node-level FW — allow K8s API + ArgoCD from control plane ──────
|
||||
# ─── Proxmox node-level FW — monitoring only (K8s API/ArgoCD via SSH tunnel) ─
|
||||
|
||||
resource "proxmox_virtual_environment_firewall_rules" "k8s_api_access" {
|
||||
resource "proxmox_virtual_environment_firewall_rules" "k8s_monitoring_access" {
|
||||
node_name = "georgeops"
|
||||
|
||||
rule {
|
||||
type = "in"
|
||||
action = "ACCEPT"
|
||||
proto = "tcp"
|
||||
dport = "6443"
|
||||
source = "78.109.17.180"
|
||||
comment = "K8s API from control plane (DNAT to k8s-master)"
|
||||
}
|
||||
|
||||
rule {
|
||||
type = "in"
|
||||
action = "ACCEPT"
|
||||
proto = "tcp"
|
||||
dport = "30443"
|
||||
source = "78.109.17.180"
|
||||
comment = "ArgoCD UI from control plane (DNAT to k8s-master)"
|
||||
}
|
||||
|
||||
rule {
|
||||
type = "in"
|
||||
action = "ACCEPT"
|
||||
@ -71,6 +68,15 @@ resource "proxmox_virtual_environment_firewall_rules" "k8s_api_access" {
|
||||
source = "78.109.17.180"
|
||||
comment = "k8s-worker-01 node_exporter (DNAT)"
|
||||
}
|
||||
|
||||
rule {
|
||||
type = "in"
|
||||
action = "ACCEPT"
|
||||
proto = "tcp"
|
||||
dport = "9202"
|
||||
source = "78.109.17.180"
|
||||
comment = "k8s-worker-02 node_exporter (DNAT)"
|
||||
}
|
||||
}
|
||||
|
||||
output "k8s_nodes" {
|
||||
|
||||
@ -30,6 +30,10 @@ resource "proxmox_virtual_environment_file" "cloud_init" {
|
||||
})
|
||||
file_name = "ci-${var.name}.yaml"
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [source_raw]
|
||||
}
|
||||
}
|
||||
|
||||
# ─── VM ───────────────────────────────────────────────────────────────────────
|
||||
@ -86,4 +90,12 @@ resource "proxmox_virtual_environment_vm" "k8s_node" {
|
||||
servers = ["8.8.8.8", "1.1.1.1"]
|
||||
}
|
||||
}
|
||||
|
||||
# Cloud-init changes should NOT trigger VM replacement.
|
||||
# CPU/RAM/disk changes are safe in-place updates.
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
initialization[0].user_data_file_id,
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user