search

selkies-project / selkies-operator

K8s operator for per-user stateful workloads
https://selkies.io
Apache License 2.0
73 stars 12 forks source link

Load Balancer Security Policy #19

Closed reisbel closed 2 years ago

reisbel commented 3 years ago

Added support for the configuration of a Security Policy for the Google Cloud Load Balancer.

Example - Enable Security Policy:

Create a file with the Security Policy values, the lb_security_policy_rules can be implemented with the Google Cloud Armor custom rules language

cat > selkies-cluster-min.auto.tfvars <<EOF
lb_security_policy_enabled             = true
lb_security_policy_delete              = false
lb_security_policy_default_rule_action = "deny(403)"
lb_security_policy_rules = [
  {
    action      = "deny(403)"
    priority    = 900
    expression  = "origin.region_code == 'IN'"
    description = "Deny access to requests originated from India"
  },
  {
    action      = "allow"
    priority    = 1000
    expression  = "inIpRange(origin.ip, '1.2.3.4/32')"
    description = "Allow traffic from 1.2.3.4/32"
  }
]
EOF

Execute terraform plan from the setup/infra folder to inspect the proposed changes

(cd setup/infra && gcloud builds submit --project ${PROJECT_ID?} --substitutions=_ACTION=plan )

Execute terraform apply from the setup/infra folder to apply the changes

(cd setup/infra && gcloud builds submit --project ${PROJECT_ID?} --substitutions=_ACTION=apply )

Inputs

Name Description Type Default Required
lb_security_policy_enabled Enable Load Balancer Security Policy. A Security Policy defines a policy that protects load balanced Google Cloud services by permitting traffic only from specified IP ranges or geographical locations bool false no
lb_security_policy_delete Set this in 2-pass security_policy removal after running with lb_security_policy_enabled = false to remove the security_policy resource without dependency issues with the backend service bool true no
lb_security_policy_rules A security policy contains one or more rules. Rules tell your security policy what to do (action) and when to do it (expression). list * Allow all rule no
lb_security_policy_default_rule_action By default, for each policy you have to configured the default rule that allows/denies all traffic with the lowest priority (2147483647). Possible values allow, deny(403), deny(404), deny(502) string deny(403) no 
  [{
      action      = "allow"
      priority    = 1000
      expression  = "inIpRange(origin.ip, '0.0.0.0/0')"
      description = "Allow all the traffic"
    } ]