K8s security hardening + scaling to half bare_srv_1

Security:
- Remove DNAT/FW rules for K8s API (6443) and ArgoCD (30443)
- Access now via SSH tunnel (k8s-tunnel.service on control plane)
- Keep monitoring DNAT (9200-9202) restricted to control plane IP

Scaling:
- k8s-master: 4 CPU, 16GB RAM, 100GB disk
- k8s-worker-01: 6 CPU, 24GB RAM, 450GB disk
- k8s-worker-02: 6 CPU, 24GB RAM, 450GB disk (NEW)
- Total: 16 CPU, 64GB RAM, 1TB disk (half of bare_srv_1)

environments/production/k8s-cluster.tf

@@ -1,21 +1,33 @@
-# Kubernetes PoC cluster — Phase 6
-# 2 VMs on NAT bridge vmbr0 (10.10.10.200-201)
-# kubeadm + containerd + Calico
+# Kubernetes cluster — Phase 6
+# VMs on NAT bridge vmbr0 (10.10.10.200-202)
+# kubeadm v1.31 + containerd + Calico
 #
-# Access: DNAT 6443 from bare_srv_1 public IP → k8s-master
-# Firewall: Proxmox FW on node level restricts 6443 to control plane IP
-#
-# Cloud image dependency: proxmox_virtual_environment_download_file.ubuntu_2404_cloud (in main.tf)
+# Access: SSH tunnel from control plane (k8s-tunnel.service)
+# Monitoring: DNAT 9200-9202 from control plane IP only
+# No public DNAT for K8s API or ArgoCD — security hardened
 
 locals {
   k8s_nodes = {
     "k8s-master" = {
       vm_id      = 300
       ip_address = "10.10.10.200"
+      cpu_cores  = 4
+      ram_mb     = 16384
+      disk_gb    = 100
     }
     "k8s-worker-01" = {
       vm_id      = 301
       ip_address = "10.10.10.201"
+      cpu_cores  = 6
+      ram_mb     = 24576
+      disk_gb    = 450
+    }
+    "k8s-worker-02" = {
+      vm_id      = 302
+      ip_address = "10.10.10.202"
+      cpu_cores  = 6
+      ram_mb     = 24576
+      disk_gb    = 450
     }
   }
 }
@@ -27,33 +39,18 @@ module "k8s_node" {
   name       = each.key
   vm_id      = each.value.vm_id
   ip_address = each.value.ip_address
+  cpu_cores  = each.value.cpu_cores
+  ram_mb     = each.value.ram_mb
+  disk_gb    = each.value.disk_gb
 
   depends_on = [proxmox_virtual_environment_download_file.ubuntu_2404_cloud]
 }
 
-# ─── Proxmox node-level FW — allow K8s API + ArgoCD from control plane ──────
+# ─── Proxmox node-level FW — monitoring only (K8s API/ArgoCD via SSH tunnel) ─
 
-resource "proxmox_virtual_environment_firewall_rules" "k8s_api_access" {
+resource "proxmox_virtual_environment_firewall_rules" "k8s_monitoring_access" {
   node_name = "georgeops"
 
-  rule {
-    type    = "in"
-    action  = "ACCEPT"
-    proto   = "tcp"
-    dport   = "6443"
-    source  = "78.109.17.180"
-    comment = "K8s API from control plane (DNAT to k8s-master)"
-  }
-
-  rule {
-    type    = "in"
-    action  = "ACCEPT"
-    proto   = "tcp"
-    dport   = "30443"
-    source  = "78.109.17.180"
-    comment = "ArgoCD UI from control plane (DNAT to k8s-master)"
-  }
-
   rule {
     type    = "in"
     action  = "ACCEPT"
@@ -71,6 +68,15 @@ resource "proxmox_virtual_environment_firewall_rules" "k8s_api_access" {
     source  = "78.109.17.180"
     comment = "k8s-worker-01 node_exporter (DNAT)"
   }
+
+  rule {
+    type    = "in"
+    action  = "ACCEPT"
+    proto   = "tcp"
+    dport   = "9202"
+    source  = "78.109.17.180"
+    comment = "k8s-worker-02 node_exporter (DNAT)"
+  }
 }
 
 output "k8s_nodes" {