Add Terraform configurations for EKS pod security group setup and related resources

Author: VardyNg

KaaS/Elastic Kubernetes Service(EKS)/Terraform/github-arc/variable.tf

@@ -1,11 +1,11 @@
 variable "region" {
   type    = string
-  default = "us-west-2"
+  default = "us-east-1"
 }
 
 variable "eks_version" {
   type    = string
-  default = "1.31"
+  default = "1.34"
 }
 
 variable "tags" {

KaaS/Elastic Kubernetes Service(EKS)/Terraform/pod-security-group/README.md

@@ -0,0 +1,7 @@
+## Tesdting Pod Security Group with EKS Cluster
+
+### How to test
+- kubectl exec into one of the pods in the Deployment "my-deployment"
+- run `curl my-app` to test connectivity to the Service
+- provision and deprovision the `aws_security_group_rule.allow_dns_from_pod_sg` and `aws_security_group_rule.allow_dns_tcp_from_pod_sg` resources in to see the effect on DNS resolution from the pod with custom security group.
+

KaaS/Elastic Kubernetes Service(EKS)/Terraform/pod-security-group/data.tf

@@ -0,0 +1,22 @@
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_availability_zones" "available" {}
+data "aws_eks_cluster_auth" "this" {
+  name = module.eks.cluster_name
+}
+
+resource "random_id" "random_string" {
+  byte_length = 2
+}
+
+locals {
+  name   = lower("${basename(path.cwd)}-${substr(base64encode(random_id.random_string.b64_url), 0, 3)}")
+  region = var.region
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    project = local.name
+  }
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/pod-security-group/eks.tf

@@ -0,0 +1,71 @@
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "21.4.0"
+
+  name                    = local.name
+  kubernetes_version      = var.eks_version
+  endpoint_public_access  = true
+  endpoint_private_access = true
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  enable_irsa = true
+
+  access_entries = {
+    # Admin access entry
+    admin = {
+      kubernetes_groups = []
+      principal_arn     = data.aws_caller_identity.current.arn
+
+      policy_associations = {
+        admin = {
+          policy_arn = "arn:${data.aws_partition.current.partition}:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+          access_scope = {
+            type = "cluster"
+          }
+        }
+      }
+    }
+  }
+
+	eks_managed_node_groups = {
+    default = {
+      instance_types = ["m5.large"]
+
+      amiType      = "AL2_x86_64"
+      min_size     = 1
+      max_size     = 1
+      desired_size = 1
+    }
+  }
+
+	addons = {
+		coredns = {
+			most_recent = true
+		}
+		metrics-server = {
+			most_recent = true
+		}
+		kube-proxy = {
+			most_recent = true
+		}
+		vpc-cni = {
+			most_recent = true
+			configuration_values = jsonencode({
+				env = {
+					ENABLE_POD_ENI = "true"
+					NETWORK_POLICY_ENFORCING_MODE = "strict"
+				}
+			})
+		}
+  }
+
+  tags = var.tags
+}
+
+# Attach AmazonEKSVPCResourceController policy to the EKS cluster service role
+resource "aws_iam_role_policy_attachment" "eks_vpc_resource_controller" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
+  role       = module.eks.cluster_iam_role_name
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/pod-security-group/k8s.tf

@@ -0,0 +1,69 @@
+resource "kubernetes_namespace" "default" {
+	metadata {
+		name = local.name
+	}
+}
+
+resource "kubernetes_deployment" "my_deployment" {
+	metadata {
+		name      = "my-deployment"
+		namespace = kubernetes_namespace.default.metadata[0].name
+		labels = {
+			app = "my-app"
+		}
+	}
+
+	spec {
+		replicas = 4
+
+		selector {
+			match_labels = {
+				app = "my-app"
+			}
+		}
+
+		template {
+			metadata {
+				labels = {
+					app  = "my-app"
+					role = "my-role"
+				}
+			}
+
+			spec {
+				termination_grace_period_seconds = 120
+
+				container {
+					name  = "nginx"
+					image = "public.ecr.aws/nginx/nginx:1.23"
+
+					port {
+						container_port = 80
+					}
+				}
+			}
+		}
+	}
+}
+
+resource "kubernetes_service" "my_app" {
+	metadata {
+		name      = "my-app"
+		namespace = kubernetes_namespace.default.metadata[0].name
+		labels = {
+			app = "my-app"
+		}
+	}
+
+	spec {
+		selector = {
+			app = "my-app"
+		}
+
+		port {
+			protocol    = "TCP"
+			port        = 80
+			target_port = 80
+		}
+	}
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/pod-security-group/output.tf

@@ -0,0 +1,9 @@
+output "configure_kubectl" {
+  description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
+  value       = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}"
+}
+
+output "pod_security_group_id" {
+	description = "The Security Group ID assigned to pods via the SecurityGroupPolicy"
+	value       = kubernetes_manifest.security_group_policy.manifest["spec"]["securityGroups"]["groupIds"][0]
+}

KaaS/Elastic Kubernetes Service(EKS)/Terraform/pod-security-group/security-group.tf

@@ -0,0 +1,158 @@
+resource "kubernetes_manifest" "security_group_policy" {
+	manifest = {
+		apiVersion = "vpcresources.k8s.aws/v1beta1"
+		kind       = "SecurityGroupPolicy"
+		metadata = {
+			name      = "my-security-group-policy"
+			namespace = kubernetes_namespace.default.metadata[0].name
+		}
+		spec = {
+			podSelector = {
+				matchLabels = {
+					role = "my-role"
+				}
+			}
+			securityGroups = {
+				groupIds = [
+					aws_security_group.allow_all.id,
+				]
+			}
+		}
+	}
+}
+
+resource "aws_security_group" "allow_all" {
+	name        = "allow_all_pods"
+	description = "Allow all inbound and outbound traffic"
+	vpc_id      = module.vpc.vpc_id
+
+	# Allow inbound from CoreDNS and other pods using same SG
+  ingress {
+    description = "HTTP from within VPC"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = [module.vpc.vpc_cidr_block]
+  }
+
+  # Allow kubelet probes (e.g., health checks)
+  ingress {
+    description = "Allow kubelet probes from node SG"
+    from_port   = 10250
+    to_port     = 10250
+    protocol    = "tcp"
+    security_groups = [module.eks.node_security_group_id] # node SG id
+  }
+
+  # Allow pod-to-pod communication within the same security group
+  ingress {
+    description = "Allow pod-to-pod communication"
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    self        = true
+  }
+
+  # Allow DNS queries to CoreDNS (UDP) - to node security group
+	egress {
+    description = "Allow DNS UDP to CoreDNS on nodes"
+    from_port   = 53
+    to_port     = 53
+    protocol    = "udp"
+    security_groups = [module.eks.node_security_group_id]
+  }
+
+  # Allow DNS queries to CoreDNS (TCP) - to node security group
+  egress {
+    description = "Allow DNS TCP to CoreDNS on nodes"
+    from_port   = 53
+    to_port     = 53
+    protocol    = "tcp"
+    security_groups = [module.eks.node_security_group_id]
+  }
+
+  # Also allow DNS to VPC CIDR as fallback
+  egress {
+    description = "Allow DNS UDP to VPC CIDR"
+    from_port   = 53
+    to_port     = 53
+    protocol    = "udp"
+    cidr_blocks = [module.vpc.vpc_cidr_block]
+  }
+
+  egress {
+    description = "Allow DNS TCP to VPC CIDR"
+    from_port   = 53
+    to_port     = 53
+    protocol    = "tcp"
+    cidr_blocks = [module.vpc.vpc_cidr_block]
+  }
+
+  # Allow HTTPS outbound (for pulling images, etc.)
+  egress {
+    description = "Allow HTTPS outbound"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # Allow HTTP outbound
+  egress {
+    description = "Allow HTTP outbound"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # Allow pod-to-pod communication within the same security group
+  egress {
+    description = "Allow pod-to-pod communication"
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    self        = true
+  }
+
+  # Allow communication to cluster security group (for API server access)
+  egress {
+    description = "Allow communication to EKS cluster"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    security_groups = [module.eks.cluster_security_group_id]
+  }
+
+  # Allow communication to node security group for service discovery
+  egress {
+    description = "Allow communication to nodes"
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    security_groups = [module.eks.node_security_group_id]
+  }
+
+  tags = var.tags
+}
+
+# Add rule to node security group to allow DNS from pod security group
+resource "aws_security_group_rule" "allow_dns_from_pod_sg" {
+  type                     = "ingress"
+  from_port                = 53
+  to_port                  = 53
+  protocol                 = "udp"
+  source_security_group_id = aws_security_group.allow_all.id
+  security_group_id        = module.eks.node_security_group_id
+  description              = "Allow DNS UDP from pod security group"
+}
+
+resource "aws_security_group_rule" "allow_dns_tcp_from_pod_sg" {
+  type                     = "ingress"
+  from_port                = 53
+  to_port                  = 53
+  protocol                 = "tcp"
+  source_security_group_id = aws_security_group.allow_all.id
+  security_group_id        = module.eks.node_security_group_id
+  description              = "Allow DNS TCP from pod security group"
+}