Closed ppiechoc closed 6 months ago
Thanks for the fix. I think there are still cases in the Workers NSG accepting ingress from FSS NSG which use destination port instead of source port: https://github.com/oracle-terraform-modules/terraform-oci-oke/blob/b9a02e56d41dca34dce6c8eeb691aada2d42bfe0/modules/network/nsg-workers.tf#L93 https://github.com/oracle-terraform-modules/terraform-oci-oke/blob/b9a02e56d41dca34dce6c8eeb691aada2d42bfe0/modules/network/nsg-workers.tf#L96 https://github.com/oracle-terraform-modules/terraform-oci-oke/blob/b9a02e56d41dca34dce6c8eeb691aada2d42bfe0/modules/network/nsg-workers.tf#L99
Community Note
Terraform Version and Provider Version
Affected Resource(s)
module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow TCP egress from workers for NFS portmapper to FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow TCP egress from workers for NFS to FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow TCP ingress to workers for NFS from FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow TCP ingress to workers for NFS portmapper from FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow UDP egress from workers for NFS portmapper to FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow UDP egress from workers for NFS to FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow UDP ingress to workers for NFS portmapper from FSS mounts"]
Terraform Configuration Files
Debug Output
N/A
Panic Output
N/A
Expected Behavior
Generated NSG rules should match the documentation for FSS.
Actual Behavior
There are two differences:
the FSS NSG opens TCP ingress and egress for port range 30000-32767 instead of documented 2048-2050 - looking in the code it uses OKE nodeport range (locals: node_port_min, node_port_max) in place of FSS port range (locals: fss_nfs_port_min, fss_nfs_port_max). The correct range is used in the Workers NSG on the other side of the connection
the documentation specifies to open the reverse path from source ports 111, 2048, 2049, 2050 to ALL destination client ports (in this case worker's). The FSS and Worker NSGs created by the the terraform instead open path from ALL FSS Mount Target source ports to Worker's destination ports 111, 2048, 2049, 2050
Steps to Reproduce
Create FSS and Workers NSG with FSS enabled.
Important Factoids
References
Documentation: https://docs.oracle.com/en-us/iaas/Content/File/Tasks/securitylistsfilestorage.htm Node Port range used in FSS NSG TF Code (ingress): https://github.com/oracle-terraform-modules/terraform-oci-oke/blob/9d22e9b8104cd4777ee21b864e0fb263020baca1/modules/network/nsg-fss.tf#L30 Node Port range used in FSS NSG TF Code: (egress): https://github.com/oracle-terraform-modules/terraform-oci-oke/blob/9d22e9b8104cd4777ee21b864e0fb263020baca1/modules/network/nsg-fss.tf#L41 Portmapper port used in FSS NSG TF Code Egress as destination instead of source (issue exists in other places as well): https://github.com/oracle-terraform-modules/terraform-oci-oke/blob/9d22e9b8104cd4777ee21b864e0fb263020baca1/modules/network/nsg-fss.tf#L35