aula-06 e aula-08: Hetzner CSI Driver e segurança de rede

aula-06: - Adicionar instalação do Hetzner CSI Driver no setup.sh - Input interativo seguro para token da Hetzner Cloud - Atualizar custom-values.yaml para n8n.kube.quest aula-08: - Adicionar regras de firewall para VXLAN e rede privada - Configurar Flannel para usar interface privada (--iface-can-reach) - Configurar kubelet.nodeIP.validSubnets para rede privada - Corrigir segurança: VXLAN restrito a 10.0.0.0/8
2025-12-27 22:56:09 -03:00
parent 6db8ca3189
commit 50dc74c1d8
5 changed files with 110 additions and 8 deletions
--- a/aula-08/main.tf
+++ b/aula-08/main.tf
@@ -130,6 +130,30 @@ resource "hcloud_firewall" "cluster" {
    source_ips = ["0.0.0.0/0", "::/0"]
  }

+  # Allow VXLAN for Flannel CNI (private network only - secure)
+  rule {
+    direction  = "in"
+    protocol   = "udp"
+    port       = "4789"
+    source_ips = ["10.0.0.0/8"]
+  }
+
+  # Allow all TCP traffic between cluster nodes (private network)
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "any"
+    source_ips = ["10.0.0.0/8"]
+  }
+
+  # Allow all UDP traffic between cluster nodes (private network)
+  rule {
+    direction  = "in"
+    protocol   = "udp"
+    port       = "any"
+    source_ips = ["10.0.0.0/8"]
+  }
+
  # Allow all outbound traffic
  rule {
    direction  = "out"
--- a/aula-08/talos-patches/control-plane.yaml
+++ b/aula-08/talos-patches/control-plane.yaml
@@ -29,6 +29,10 @@ machine:
      max-pods: "110"
      kube-reserved: "cpu=200m,memory=300Mi"
      system-reserved: "cpu=200m,memory=200Mi"
+    # Force kubelet to use private network IP
+    nodeIP:
+      validSubnets:
+        - 10.0.0.0/8

  # Time sync
  time:
@@ -51,6 +55,9 @@ cluster:
  network:
    cni:
      name: flannel
+      flannel:
+        extraArgs:
+          - --iface-can-reach=10.0.1.1
    dnsDomain: cluster.local
    serviceSubnets:
      - 10.96.0.0/12
--- a/aula-08/talos-patches/worker.yaml
+++ b/aula-08/talos-patches/worker.yaml
@@ -19,6 +19,10 @@ machine:
      max-pods: "110"
      kube-reserved: "cpu=100m,memory=200Mi"
      system-reserved: "cpu=100m,memory=100Mi"
+    # Force kubelet to use private network IP
+    nodeIP:
+      validSubnets:
+        - 10.0.0.0/8

  # Time sync
  time:
@@ -37,6 +41,9 @@ cluster:
  network:
    cni:
      name: flannel
+      flannel:
+        extraArgs:
+          - --iface-can-reach=10.0.1.1
    dnsDomain: cluster.local
    serviceSubnets:
      - 10.96.0.0/12