claude
e43f4dfc90
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects planned successfully.
Security: - Remove DNAT/FW rules for K8s API (6443) and ArgoCD (30443) - Access now via SSH tunnel (k8s-tunnel.service on control plane) - Keep monitoring DNAT (9200-9202) restricted to control plane IP Scaling: - k8s-master: 4 CPU, 16GB RAM, 100GB disk - k8s-worker-01: 6 CPU, 24GB RAM, 450GB disk - k8s-worker-02: 6 CPU, 24GB RAM, 450GB disk (NEW) - Total: 16 CPU, 64GB RAM, 1TB disk (half of bare_srv_1)
91 lines
2.0 KiB
HCL
91 lines
2.0 KiB
HCL
# Kubernetes cluster — Phase 6
|
|
# VMs on NAT bridge vmbr0 (10.10.10.200-202)
|
|
# kubeadm v1.31 + containerd + Calico
|
|
#
|
|
# Access: SSH tunnel from control plane (k8s-tunnel.service)
|
|
# Monitoring: DNAT 9200-9202 from control plane IP only
|
|
# No public DNAT for K8s API or ArgoCD — security hardened
|
|
|
|
locals {
|
|
k8s_nodes = {
|
|
"k8s-master" = {
|
|
vm_id = 300
|
|
ip_address = "10.10.10.200"
|
|
cpu_cores = 4
|
|
ram_mb = 16384
|
|
disk_gb = 100
|
|
}
|
|
"k8s-worker-01" = {
|
|
vm_id = 301
|
|
ip_address = "10.10.10.201"
|
|
cpu_cores = 6
|
|
ram_mb = 24576
|
|
disk_gb = 450
|
|
}
|
|
"k8s-worker-02" = {
|
|
vm_id = 302
|
|
ip_address = "10.10.10.202"
|
|
cpu_cores = 6
|
|
ram_mb = 24576
|
|
disk_gb = 450
|
|
}
|
|
}
|
|
}
|
|
|
|
module "k8s_node" {
|
|
source = "../../modules/k8s-node"
|
|
for_each = local.k8s_nodes
|
|
|
|
name = each.key
|
|
vm_id = each.value.vm_id
|
|
ip_address = each.value.ip_address
|
|
cpu_cores = each.value.cpu_cores
|
|
ram_mb = each.value.ram_mb
|
|
disk_gb = each.value.disk_gb
|
|
|
|
depends_on = [proxmox_virtual_environment_download_file.ubuntu_2404_cloud]
|
|
}
|
|
|
|
# ─── Proxmox node-level FW — monitoring only (K8s API/ArgoCD via SSH tunnel) ─
|
|
|
|
resource "proxmox_virtual_environment_firewall_rules" "k8s_monitoring_access" {
|
|
node_name = "georgeops"
|
|
|
|
rule {
|
|
type = "in"
|
|
action = "ACCEPT"
|
|
proto = "tcp"
|
|
dport = "9200"
|
|
source = "78.109.17.180"
|
|
comment = "k8s-master node_exporter (DNAT)"
|
|
}
|
|
|
|
rule {
|
|
type = "in"
|
|
action = "ACCEPT"
|
|
proto = "tcp"
|
|
dport = "9201"
|
|
source = "78.109.17.180"
|
|
comment = "k8s-worker-01 node_exporter (DNAT)"
|
|
}
|
|
|
|
rule {
|
|
type = "in"
|
|
action = "ACCEPT"
|
|
proto = "tcp"
|
|
dport = "9202"
|
|
source = "78.109.17.180"
|
|
comment = "k8s-worker-02 node_exporter (DNAT)"
|
|
}
|
|
}
|
|
|
|
output "k8s_nodes" {
|
|
description = "K8s cluster nodes"
|
|
value = {
|
|
for name, node in module.k8s_node : name => {
|
|
vm_id = node.vm_id
|
|
ip_address = node.ip_address
|
|
}
|
|
}
|
|
}
|