Terraform:使用azurerm_kubernetes_cluster创建AKS集群时指定网络安全组规则
我正在使用Terraform提供者版本1.19创建AKS集群。在创建集群时,我想指定网络安全组规则,但我不知道如何引用创建的安全组,因为生成的安全组具有随机数的名称。
类似于:
aks-代理-33577837-nsg
是否有方法引用所创建的nsg或至少输出名称中使用的随机数?
用于创建集群的配置:
resource "azurerm_resource_group" "k8s" {
name = "${var.resource_group_name}"
location = "${var.location}"
}
resource "azurerm_kubernetes_cluster" "k8s" {
name = "${var.cluster_name}"
location = "${azurerm_resource_group.k8s.location}"
resource_group_name = "${azurerm_resource_group.k8s.name}"
dns_prefix = "${var.dns_prefix}"
kubernetes_version = "${var.kubernetes_version}"
linux_profile {
admin_username = "azureuser"
ssh_key {
key_data = "${file("${var.ssh_public_key}")}"
}
}
agent_pool_profile {
name = "default"
count = "${var.agent_count}"
vm_size = "${var.vm_size}"
os_type = "Linux"
}
service_principal {
client_id = "${var.client_id}"
client_secret = "${var.client_secret}"
}
tags {
source = "terraform"
environment = "${var.environment}"
}
}这将生成一个安全组,我希望向其添加其他规则。下面是我要添加的规则,这样就可以检查nginx控制器的活性探针。
resource "azurerm_network_security_rule" "nginx_liveness_probe" {
name = "nginx_liveness"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "${var.nginx_liveness_probe_port}"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = "${azurerm_kubernetes_cluster.k8s.node_resource_group}"
network_security_group_name = How do I reference the auto-generated nsg ?
description = "Allow access to nginx liveness probe"
}回答 3
Stack Overflow用户
发布于 2021-01-27 15:19:38
回答你问题的解决方案是:
data "azurerm_resources" "example" {
resource_group_name = azurerm_kubernetes_cluster.example.node_resource_group
type = "Microsoft.Network/networkSecurityGroups"
}
output name_nsg {
value = data.azurerm_resources.example.resources.0.name
}
resource "azurerm_network_security_rule" "example" {
name = "example"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_kubernetes_cluster.example.node_resource_group
network_security_group_name = data.azurerm_resources.example.resources.0.name
}。。然后以同样的方式加入你所有的规则。
一般来说,最好使用Azure Kubernetes服务对创建Kubernetes服务作出反应的自动化方式,而不要使用更多的Terraform (虽然下面的Kubernetes yaml也可以与Kubernetes地形提供者一起使用):
网络安全组过滤VM的通信量,例如AKS节点。在创建服务(如LoadBalancer )时,Azure平台会自动配置所需的任何网络安全组规则。不要手动配置网络安全组规则,以筛选AKS集群中豆荚的通信量。将任何必需的端口和转发定义为Kubernetes服务清单的一部分,并让Azure平台创建或更新适当的规则。您还可以使用网络策略(如下一节所述)自动将流量筛选规则应用于吊舱。
在当前的设置中,应该可以简单地为您想要泄露的端口创建一个Kubernetes服务。
例如,当我部署入口控制器时,Kubernetes服务的创建将触发使用NSG创建IP地址/负载平衡器:
apiVersion: v1
kind: Service
metadata:
name: ingress-ingress-nginx-controller
namespace: ingress
spec:
loadBalancerSourceRanges:
- 8.8.8.8/32
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer通过创建一个Kubernetes服务(LoadBalancer类型),该服务映射到所需的荚端口并指定了loadBalancerSourceRanges,可以为您的自定义目的地指定类似的设置。
apiVersion: v1
kind: Service
metadata:
name: mycustomservice
namespace: myownnamespace
spec:
loadBalancerSourceRanges:
- 8.8.8.8/32 # your source IPs
- 9.9.9.9/32
ports:
- name: myaccessport
port: 777
protocol: TCP
targetPort: mydestinationport
selector:
app.kubernetes.io/name: myapp
type: LoadBalancerStack Overflow用户
发布于 2019-07-18 12:01:41
有点晚了,但刚刚发现了这个问题。因此,对于那些仍在寻找解决方案的人来说,这就是我最后为AKS NSG命名所做的工作:
将此添加到提供AKS的*.tf文件中:
resource "azurerm_network_security_rule" "http" {
name = "YOUR_NAME"
priority = 102
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "80"
destination_port_range = "*"
source_address_prefixes = "${var.ips}"
destination_address_prefix = "${azurerm_public_ip.ingress.ip_address}"
resource_group_name = "${azurerm_kubernetes_cluster.test.node_resource_group}"
network_security_group_name = "${data.external.aks_nsg_name.result.output}"
depends_on = ["azurerm_resource_group.test"]
}
# get the NSG name
data "external" "aks_nsg_name" {
program = [
"bash",
"${path.root}/scripts/aks_nsg_name.sh"
]
depends_on = [azurerm_resource_group.test]
}在项目中创建aks_nsg_name.sh并添加以下内容:
#!/bin/bash
OUTPUT=$(az network nsg list --query [].name -o tsv | grep aks-agentpool | head -n 1)
jq -n --arg output "$OUTPUT" '{"output":$output}'Stack Overflow用户
发布于 2018-12-04 10:23:38
您的AKC是添加到一个azurerm_resource_group中的,我想您使用Terraform提供了它。如果是这样的话,您可以将具有任意数量的azurerm_network_security_group的自定义azurerm_network_security_rule添加到该资源组中,如详见。
示例:
resource "azurerm_resource_group" "test" {
name = "acceptanceTestResourceGroup1"
location = "West US"
}
resource "azurerm_network_security_group" "test" {
name = "acceptanceTestSecurityGroup1"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
}
resource "azurerm_network_security_rule" "test" {
name = "test123"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = "${azurerm_resource_group.test.name}"
network_security_group_name = "${azurerm_network_security_group.test.name}"
}不幸的是,网络安全组数据源需要name参数,通配符似乎不受支持,否则也会是一个选项。
https://stackoverflow.com/questions/53601223
复制相似问题
腾讯云开发者
