Skip to content

add support for stateless rules #1044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
robo-cap wants to merge 3 commits into
base: main
Choose a base branch
from
Open

add support for stateless rules #1044

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
07f66a0
add support for stateless rules
robo-cap Oct 29, 2025
99323e3
Update ports for OCI services
robo-cap Nov 13, 2025
06378c7
add experimental flag
robo-cap Nov 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions examples/network/vars-network.auto.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,3 +99,7 @@ nat_gateway_route_rules = [
# description = "Terraformed - User added Routing Rule: To drg provided to this module. drg_id, if available, is automatically retrieved with keyword drg"
# },
]

# Experimental
use_stateless_rules = true # Use stateless rules for security lists and network security groups instead of the default stateful rules.
# Note that the egress rule to 0.0.0.0/0 from pods and workers will be statefull independent of this setting because of security concerns.
1 change: 1 addition & 0 deletions module-network.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@ module "network" {
nat_gateway_id = local.nat_gateway_id
nat_route_table_id = local.nat_route_table_id
subnets = var.subnets
use_stateless_rules = var.use_stateless_rules
vcn_cidrs = local.vcn_cidrs
vcn_ipv6_cidr = local.vcn_ipv6_cidr
vcn_id = local.vcn_id
Expand Down
51 changes: 49 additions & 2 deletions modules/network/nsg-bastion.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@ locals {
])
# Return provided NSG when configured with an existing ID or created resource ID
bastion_nsg_id = one(compact([try(var.nsgs.bastion.id, null), one(oci_core_network_security_group.bastion[*].id)]))
bastion_rules = local.bastion_nsg_enabled ? merge(
bastion_rules = local.bastion_nsg_enabled ? ( var.use_stateless_rules ? local.bastion_stateless_rules: local.bastion_stateful_rules ) : {}

bastion_stateful_rules = merge(
{ for cidr in var.bastion_allowed_cidrs :
"Allow SSH ingress to bastion from ${cidr}" => {
protocol = local.tcp_protocol, port = local.ssh_port, source = cidr, source_type = local.rule_type_cidr,
Expand All @@ -40,7 +42,52 @@ locals {
protocol = local.tcp_protocol, port = local.apiserver_port, destination = local.control_plane_nsg_id, destination_type = local.rule_type_nsg,
},
} : {},
) : {}
)

bastion_stateless_rules = merge(
Copy link
Contributor

@hyder hyder Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bastion and operator are used for admin/troubleshooting purposes. I don't see the need to make their rules stateless.

{ for cidr in var.bastion_allowed_cidrs :
"Allow SSH ingress to bastion from ${cidr}" => {
protocol = local.tcp_protocol, destination_port_min = local.ssh_port, destination_port_max = local.ssh_port, source = cidr, source_type = local.rule_type_cidr, stateless = true
}
},
{ for cidr in var.bastion_allowed_cidrs :
"Allow SSH egress from bastion to ${cidr}" => {
protocol = local.tcp_protocol, source_port_min = local.ssh_port, source_port_max = local.ssh_port, destination = cidr, destination_type = local.rule_type_cidr, stateless = true
}
},
{
"Allow TCP egress from bastion to OCI services" : {
protocol = local.all_protocols, port = local.all_ports, destination = local.osn, destination_type = local.rule_type_service, stateless = true
},
"Allow TCP ingress to bastion from OCI services" : {
protocol = local.all_protocols, port = local.all_ports, source = local.osn, source_type = local.rule_type_service, stateless = true
},
},
local.operator_nsg_enabled ? {
"Allow SSH egress from bastion to operator" = {
protocol = local.tcp_protocol, destination_port_min = local.ssh_port, destination_port_max = local.ssh_port, destination = local.operator_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},
"Allow ingress to bastion from operator SSH" = {
protocol = local.tcp_protocol, source_port_min = local.ssh_port, source_port_max = local.ssh_port, source = local.operator_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
} : {},
var.allow_worker_ssh_access && local.worker_nsg_enabled ? {
"Allow SSH egress from bastion to workers" = {
protocol = local.tcp_protocol, destination_port_min = local.ssh_port, destination_port_max = local.ssh_port, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},
"Allow ingress to bastion from workers SSH" = {
protocol = local.tcp_protocol, source_port_min = local.ssh_port, source_port_max= local.ssh_port , source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
} : {},
(var.allow_bastion_cluster_access && local.control_plane_nsg_enabled) ? {
"Allow TCP egress from bastion to cluster endpoint" = {
protocol = local.tcp_protocol, destination_port_min = local.apiserver_port, destination_port_max = local.apiserver_port, destination = local.control_plane_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},
"Allow TCP ingress to bastion from cluster endpoint" = {
protocol = local.tcp_protocol, source_port_min = local.apiserver_port, source_port_max = local.apiserver_port, source = local.control_plane_nsg_id, source_type = local.rule_type_nsg, stateless = true
}
} : {},
)
}

resource "oci_core_network_security_group" "bastion" {
Expand Down
82 changes: 80 additions & 2 deletions modules/network/nsg-controlplane.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@ locals {
])
# Return provided NSG when configured with an existing ID or created resource ID
control_plane_nsg_id = one(compact([try(var.nsgs.cp.id, null), one(oci_core_network_security_group.cp[*].id)]))
control_plane_rules = local.control_plane_nsg_enabled ? merge(
control_plane_rules = local.control_plane_nsg_enabled ? ( var.use_stateless_rules ? local.control_plane_stateless_rules: local.control_plane_stateful_rules ) : {}

control_plane_stateful_rules= merge(
{
"Allow TCP egress from OKE control plane to OCI services" : {
protocol = local.tcp_protocol, port = local.all_ports, destination = local.osn, destination_type = local.rule_type_service,
Expand Down Expand Up @@ -83,7 +85,83 @@ locals {
}
},
var.allow_rules_cp
) : {}
)

control_plane_stateless_rules= merge(
{
"Allow TCP egress from OKE control plane to OCI services" : {
protocol = local.all_protocols, port = local.all_ports, destination = local.osn, destination_type = local.rule_type_service, stateless = true
},
"Allow TCP ingress to OKE control plane from OCI services" : {
protocol = local.all_protocols, port = local.all_ports, source = local.osn, source_type = local.rule_type_service, stateless = true
},

"Allow TCP ingress to OKE control plane from worker nodes" : {
protocol = local.tcp_protocol, port = local.all_ports, source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
"Allow TCP egress from OKE control plane to Kubelet on worker nodes" : {
protocol = local.tcp_protocol, port = local.all_ports, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},

"Allow TCP ingress for Kubernetes control plane inter-communication" : {
protocol = local.tcp_protocol, destination_port_min = local.apiserver_port, destination_port_max = local.apiserver_port, source = local.control_plane_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
"Allow TCP egress for Kubernetes control plane inter-communication" : {
protocol = local.tcp_protocol, source_port_min = local.apiserver_port, source_port_max = local.apiserver_port, destination = local.control_plane_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},

"Allow ICMP egress for path discovery to worker nodes" : {
protocol = local.icmp_protocol, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
},
"Allow ICMP ingress for path discovery from worker nodes" : {
protocol = local.icmp_protocol, source = local.worker_nsg_id, source_type = local.rule_type_nsg,
},
},
var.enable_ipv6 ? {
"Allow ICMPv6 egress for path discovery to worker nodes" : {
protocol = local.icmpv6_protocol, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
},
"Allow ICMPv6 ingress for path discovery from worker nodes" : {
protocol = local.icmpv6_protocol, source = local.worker_nsg_id, source_type = local.rule_type_nsg,
},
} : {},
local.operator_nsg_enabled ? {
Copy link
Contributor

@hyder hyder Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as above, operator is for troubleshooting. do we really need this rule to be stateless? maybe for the bastion and operator, just create them separately?

"Allow TCP ingress to kube-apiserver from operator instance" : {
protocol = local.tcp_protocol, destination_port_min = local.apiserver_port, destination_port_max = local.apiserver_port, source = local.operator_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
"Allow TCP egress from kube-apiserver to operator instance" : {
protocol = local.tcp_protocol, source_port_min = local.apiserver_port, source_port_max = local.apiserver_port, source = local.operator_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
} : {},
local.pod_nsg_enabled ? {
"Allow TCP ingress to OKE control plane from pods" : {
protocol = local.tcp_protocol, port = local.all_ports, source = local.pod_nsg_id, source_type = local.rule_type_nsg, stateless = true
}
"Allow TCP egress from OKE control plane to pods" : {
protocol = local.tcp_protocol, port = local.all_ports, destination = local.pod_nsg_id, destination_type = local.rule_type_nsg, stateless = true
}
} : {},
(var.allow_bastion_cluster_access && local.bastion_nsg_enabled) ? {
"Allow TCP ingress to kube-apiserver from bastion host" = {
protocol = local.tcp_protocol, destination_port_min = local.apiserver_port, destination_port_max = local.apiserver_port, source = local.bastion_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
"Allow TCP egress from kube-apiserver to bastion host" = {
protocol = local.tcp_protocol, source_port_min = local.apiserver_port, source_port_max = local.apiserver_port, destination = local.bastion_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},
} : {},

{ for allowed_cidr in var.control_plane_allowed_cidrs :
"Allow TCP ingress to kube-apiserver from ${allowed_cidr}" => {
protocol = local.tcp_protocol, destination_port_min = local.apiserver_port, destination_port_max = local.apiserver_port, source = allowed_cidr, source_type = local.rule_type_cidr, stateless = true
}
},
{ for allowed_cidr in var.control_plane_allowed_cidrs :
"Allow TCP egress from kube-apiserver to ${allowed_cidr}" => {
protocol = local.tcp_protocol, source_port_min = local.apiserver_port, source_port_max = local.apiserver_port, destination = allowed_cidr, destination_type = local.rule_type_cidr, stateless = true
}
},
var.allow_rules_cp
)
}

resource "oci_core_network_security_group" "cp" {
Expand Down
38 changes: 36 additions & 2 deletions modules/network/nsg-fss.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@ locals {
])
# Return provided NSG when configured with an existing ID or created resource ID
fss_nsg_id = one(compact([try(var.nsgs.fss.id, null), one(oci_core_network_security_group.fss[*].id)]))
fss_rules = local.fss_nsg_enabled ? {
fss_rules = local.fss_nsg_enabled ? ( var.use_stateless_rules ? local.fss_stateless_rules: local.fss_stateful_rules ) : {}

fss_stateful_rules = {
# See https://docs.oracle.com/en-us/iaas/Content/File/Tasks/securitylistsfilestorage.htm
# Ingress
"Allow UDP ingress for NFS portmapper from workers" : {
Expand All @@ -40,7 +42,39 @@ locals {
"Allow TCP egress for NFS to the workers" : {
protocol = local.tcp_protocol, source_port_min = local.fss_nfs_port_min, source_port_max = local.fss_nfs_port_max, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
},
} : {}
}

fss_stateless_rules = {
# See https://docs.oracle.com/en-us/iaas/Content/File/Tasks/securitylistsfilestorage.htm
# Ingress
"Allow UDP ingress for NFS portmapper from workers" : {
protocol = local.udp_protocol, destination_port_min = local.fss_nfs_portmapper_port, destination_port_max = local.fss_nfs_portmapper_port, source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
"Allow UDP egress for NFS portmapper to workers" : {
protocol = local.udp_protocol, source_port_min = local.fss_nfs_portmapper_port, source_port_max = local.fss_nfs_portmapper_port, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},

"Allow TCP ingress for NFS portmapper from workers" : {
protocol = local.tcp_protocol, destination_port_min = local.fss_nfs_portmapper_port, destination_port_max = local.fss_nfs_portmapper_port, source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
"Allow TCP egress for NFS portmapper to workers" : {
protocol = local.tcp_protocol, source_port_min = local.fss_nfs_portmapper_port, source_port_max = local.fss_nfs_portmapper_port, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},

"Allow UDP ingress for NFS from workers" : {
protocol = local.udp_protocol, destination_port_min = local.fss_nfs_port_min, destination_port_max = local.fss_nfs_port_min, source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
"Allow UDP egress for NFS to workers" : {
protocol = local.udp_protocol, source_port_min = local.fss_nfs_port_min, source_port_max = local.fss_nfs_port_min, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},

"Allow TCP ingress for NFS from workers" : {
protocol = local.tcp_protocol, destination_port_min = local.fss_nfs_port_min, destination_port_max = local.fss_nfs_port_max, source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
},
"Allow TCP egress for NFS to workers" : {
protocol = local.tcp_protocol, source_port_min = local.fss_nfs_port_min, source_port_max = local.fss_nfs_port_max, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},
}
}

resource "oci_core_network_security_group" "fss" {
Expand Down
41 changes: 39 additions & 2 deletions modules/network/nsg-loadbalancers-int.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ locals {
])
# Return provided NSG when configured with an existing ID or created resource ID
int_lb_nsg_id = one(compact([try(var.nsgs.int_lb.id, null), one(oci_core_network_security_group.int_lb[*].id)]))
int_lb_rules = local.int_lb_nsg_enabled ? merge(
int_lb_rules = local.int_lb_nsg_enabled ? ( var.use_stateless_rules ? local.int_lb_stateless_rules: local.int_lb_stateful_rules ) : {}
int_lb_stateful_rules = merge(
{
"Allow TCP egress from internal load balancers to workers for Node Ports" : {
protocol = local.tcp_protocol, port_min = local.node_port_min, port_max = local.node_port_max, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
Expand All @@ -36,7 +37,43 @@ locals {
} : {},
var.enable_waf ? local.waf_rules : {},
var.allow_rules_internal_lb,
) : {}
)

int_lb_stateless_rules = merge(
{
"Allow TCP egress from internal load balancers to workers for Node Ports" : {
protocol = local.tcp_protocol, destination_port_min = local.node_port_min, destination_port_max = local.node_port_max, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},
"Allow TCP ingress to internal load balancers from workers for Node Ports" : {
protocol = local.tcp_protocol, source_port_min = local.node_port_min, source_port_max = local.node_port_max, source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
},

"Allow UDP egress from internal load balancers to workers for Node Ports" : {
protocol = local.udp_protocol, destination_port_min = local.node_port_min, destination_port_max = local.node_port_max, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},
"Allow UDP ingress to internal load balancers from workers for Node Ports" : {
protocol = local.udp_protocol, source_port_min = local.node_port_min, source_port_max = local.node_port_max, source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
},

"Allow TCP egress from internal load balancers to workers for health checks" : {
protocol = local.tcp_protocol, destination_port_min = local.health_check_port, destination_port_max = local.health_check_port, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg, stateless = true
},
"Allow TCP egress to internal load balancers from workers for health checks" : {
protocol = local.tcp_protocol, source_port_min = local.health_check_port, source_port_max = local.health_check_port, source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
},

"Allow ICMP egress from internal load balancers to worker nodes for path discovery" : {
protocol = local.icmp_protocol, port = local.all_ports, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
},
},
var.enable_ipv6 ? {
"Allow ICMPv6 egress from internal load balancers to worker nodes for path discovery" : {
protocol = local.icmpv6_protocol, port = local.all_ports, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
},
} : {},
var.enable_waf ? local.waf_rules : {},
var.allow_rules_internal_lb,
)
}

resource "oci_core_network_security_group" "int_lb" {
Expand Down
Loading