AKS post-deployment network lockdown

infra/aks-post-deployment/.gitignore

@@ -0,0 +1,2 @@
+*.pyc
+venv/

infra/aks-post-deployment/Pulumi.fridge-lockdown.yaml

@@ -0,0 +1,8 @@
+config:
+  fridge-lockdown:k8s_env: AKS
+  fridge-lockdown:azure_subscription_id: "36cfe11d-bfcd-4dce-9b70-c3905a4f3d01"
+  fridge-lockdown:azure_resource_group: fridge-multiple
+  fridge-lockdown:infrastructure_stack_name: isolated-aks
+  fridge-lockdown:organization_name: organization
+  fridge-lockdown:project_name: fridge_aks
+encryptionsalt: v1:5NbOBexeJpY=:v1:TWfZ8KMtI0Ut+xn9:Ue2E3YE+tGFpwuMZmnHcwhNtghO0LA==

infra/aks-post-deployment/Pulumi.yaml

@@ -0,0 +1,11 @@
+name: fridge-lockdown
+description: Locking down an AKS FRIDGE after deployment
+runtime:
+  name: python
+  options:
+    toolchain: pip
+    virtualenv: venv
+config:
+  pulumi:tags:
+    value:
+      pulumi:template: python

infra/aks-post-deployment/__main__.py

@@ -0,0 +1,85 @@
+import pulumi
+from pulumi_azure_native import network
+
+config = pulumi.Config()
+organization = config.require("organization_name")
+project_name = config.require("project_name")
+stack = config.require("infrastructure_stack_name")
+
+infrastructure_stack_reference = pulumi.StackReference(
+    f"{organization}/{project_name}/{stack}"
+)
+
+access_nodes_subnet_cidr = infrastructure_stack_reference.get_output(
+    "access_nodes_subnet_cidr"
+)
+access_subnet_nsg = infrastructure_stack_reference.get_output("access_subnet_nsg")
+isolated_kubeconfig = infrastructure_stack_reference.get_output("isolated_kubeconfig")
+isolated_nodes_subnet_cidr = infrastructure_stack_reference.get_output(
+    "isolated_nodes_subnet_cidr"
+)
+isolated_subnet_nsg = infrastructure_stack_reference.get_output("isolated_subnet_nsg")
+
+
+def create_nsg_lockdown(nsg_info):
+    return network.NetworkSecurityGroup(
+        "isolated-subnet-nsg-lockdown",
+        resource_group_name=config.require("azure_resource_group"),
+        location="uksouth",
+        network_security_group_name=nsg_info["name"],
+        security_rules=[
+            network.SecurityRuleArgs(
+                name="AllowFridgeAPIFromAccessInBound",
+                priority=100,
+                direction=network.SecurityRuleDirection.INBOUND,
+                access=network.SecurityRuleAccess.ALLOW,
+                protocol=network.SecurityRuleProtocol.TCP,
+                source_port_range="*",
+                destination_port_range="443",
+                source_address_prefix=access_nodes_subnet_cidr,
+                destination_address_prefix="*",
+                description="Allow FRIDGE API access from access cluster API Proxy",
+            ),
+            network.SecurityRuleArgs(
+                name="DenyAccessVNetInBound",
+                priority=2000,
+                direction=network.SecurityRuleDirection.INBOUND,
+                access=network.SecurityRuleAccess.DENY,
+                protocol=network.SecurityRuleProtocol.ASTERISK,
+                source_port_range="*",
+                destination_port_range="*",
+                source_address_prefix="10.10.0.0/16",
+                destination_address_prefix="*",
+                description="Deny all other traffic from access cluster VNet",
+            ),
+            # OUTBOUND RULES
+            # Deny all other outbound to access cluster
+            network.SecurityRuleArgs(
+                name="AllowHarborOutBound",
+                priority=100,
+                direction=network.SecurityRuleDirection.OUTBOUND,
+                access=network.SecurityRuleAccess.ALLOW,
+                protocol=network.SecurityRuleProtocol.TCP,
+                source_port_range="*",
+                destination_port_range="8080",
+                source_address_prefix=isolated_nodes_subnet_cidr,
+                destination_address_prefix="10.10.50.50/32",
+            ),
+            network.SecurityRuleArgs(
+                name="DenyAccessClusterOutBound",
+                priority=4000,
+                direction=network.SecurityRuleDirection.OUTBOUND,
+                access=network.SecurityRuleAccess.DENY,
+                protocol=network.SecurityRuleProtocol.ASTERISK,
+                source_port_range="*",
+                destination_port_range="*",
+                source_address_prefix="*",
+                destination_address_prefix="10.10.0.0/16",
+                description="Deny all other outbound to access cluster",
+            ),
+        ],
+        opts=pulumi.ResourceOptions(import_=nsg_info["id"]),
+    )
+
+
+isolated_subnet_nsg_lockdown = isolated_subnet_nsg.apply(create_nsg_lockdown)

infra/aks-post-deployment/requirements.txt

@@ -0,0 +1,2 @@
+pulumi>=3.0.0,<4.0.0
+pulumi_azure_native~=3.0.0

infra/aks/__main__.py

@@ -183,5 +183,10 @@ def get_kubeconfig(
 isolated_kubeconfig = isolated_admin_credentials.kubeconfigs.apply(get_kubeconfig)
 access_kubeconfig = access_admin_credentials.kubeconfigs.apply(get_kubeconfig)
 
-pulumi.export("isolated_kubeconfig", isolated_kubeconfig)
 pulumi.export("access_kubeconfig", access_kubeconfig)
+pulumi.export("access_nodes_subnet_cidr", networking.access_nodes.address_prefix)
+pulumi.export("access_subnet_nsg", networking.access_nsg)
+pulumi.export("isolated_cluster_api_server_fqdn", isolated_cluster.fqdn)
+pulumi.export("isolated_kubeconfig", isolated_kubeconfig)
+pulumi.export("isolated_nodes_subnet_cidr", networking.isolated_nodes.address_prefix)
+pulumi.export("isolated_subnet_nsg", networking.isolated_nsg)

infra/aks/components/isolated_cluster.py

@@ -140,4 +140,5 @@ def __init__(
 
         self.name = self.isolated_cluster.name
         self.private_fqdn = self.isolated_cluster.private_fqdn
+        self.fqdn = self.isolated_cluster.fqdn
         self.register_outputs({"isolated_cluster": self.isolated_cluster})

infra/aks/components/networking.py

@@ -121,7 +121,7 @@ def __init__(
                     protocol=network.SecurityRuleProtocol.ASTERISK,
                     source_port_range="*",
                     destination_port_range="*",
-                    source_address_prefix=args.config.require("Isolated_vnet_cidr"),
+                    source_address_prefix=args.config.require("isolated_vnet_cidr"),
                     destination_address_prefix="*",
                     description="Deny all other inbound from Isolated cluster",
                 ),
@@ -157,7 +157,7 @@ def __init__(
                     destination_port_range="*",
                     source_address_prefix="*",
                     destination_address_prefix=args.config.require(
-                        "Isolated_vnet_cidr"
+                        "isolated_vnet_cidr"
                     ),
                     description="Deny all other outbound to Isolated cluster",
                 ),
@@ -203,7 +203,7 @@ def __init__(
             f"{name}-isolated-nodes",
             resource_group_name=args.resource_group_name,
             virtual_network_name=self.isolated_vnet.name,
-            address_prefix=args.config.require("Isolated_nodes_subnet_cidr"),
+            address_prefix=args.config.require("isolated_nodes_subnet_cidr"),
             network_security_group=network.NetworkSecurityGroupArgs(
                 id=self.isolated_nsg.id
             ),