MKS Cluster Module - Reference Guide
Overview
The MKS (Managed Kubernetes Service) Cluster Module provides a comprehensive solution for deploying and managing Kubernetes clusters in the Samsung Private Cloud (SPC) environment using the Kosmos Provider, conforming to Samsung Security Checklist requirements.
Requirements
Prerequisites
| Name | Version |
|---|---|
| Terraform CLI | >= 1.0 |
| Kosmos CLI | >= 4.3.9 |
| AWS CLI | >= 2.27.58 |
| Kosmos Terraform Provider | >= 0.11 |
| AWS Terraform Provider | >= 5.95 |
Artifacts
Download the Terraform module from the Terraform Artifacts page:
| Artifact | Version |
|---|---|
| MKS (Samsung Private Cloud) Module | v3.3.0 |
Quick Start
module "mks_cluster" {
source = "https://srin-s3-terraform-modules.s3.ap-southeast-1.amazonaws.com/terraform-kosmos-mks-vX.Y.Z.tar.gz"
fleet_name = "production-fleet"
cluster_name = "prod-mks-cluster"
kosmos_user = "admin-user"
spc_region = "ap-southeast-1"
oidc_provider_arn = "arn:aws:iam::111222333444:oidc-provider/console.kosmos.spcplatform.com/kosmos-oidc"
public_access_cidrs = ["172.217.160.227/32"]
}
Inputs
Name | Description | Type | Default | Required |
|---|---|---|---|---|
| fleet_name | Target fleet in Kosmos where the cluster will be deployed | string | n/a | yes |
| cluster_name | Name of the MKS cluster | string | n/a | yes |
| oidc_provider_arn | Kosmos OIDC provider ARN for authentication | string | n/a | yes |
| cluster_public_access_cidrs | CIDR blocks allowed to access the cluster | list(string) | n/a | yes |
| kosmos_user | Kosmos user account for cluster management | string | n/a | yes |
| spc_region | SPC region where the MKS cluster will be created | string | n/a | yes |
| kosmos_tier | Kosmos environment tier (dev, stg, null for prod) | string | null | no |
| vpc_cidr | CIDR block for the VPC | string | "10.0.0.0/16" | no |
| vpc_id | The ID of the VPC to be used for the MKS cluster. | string | null | no |
| enable_nat_gateway | Enable NAT gateway for the VPC | bool | true | no |
| cluster_kubernetes_version | Kubernetes version for the MKS cluster | string | "1.32" | no |
| cluster_public_access | Enable public access to the MKS cluster | bool | true | no |
| external_nat_ip_ids | NAT IP IDs for the MKS cluster | list(string) | [] | no |
| create_vpc | Create a new VPC for the MKS cluster | bool | true | no |
| create_cluster_security_group | Create a new security group for the MKS cluster | bool | true | no |
| create_node_groups_security_group | Create a new security group for the MKS node groups | bool | true | no |
| cluster_security_group_ids | Security group IDs for MKS cluster (required when create_security_group = false) | list(string) | [] | no |
| node_groups_security_group_ids | Security group IDs for MKS node groups (required when create_security_group = false) | list(string) | [] | no |
| vpc_endpoint_security_group_ids | The security group IDs to be associated with the VPC endpoints. | list(string) | [] | no |
| cluster_security_group_ingress_rule | Ingress rule for the MKS cluster security group | map(obj) | {} | no |
| node_security_group_ingress_rule | Ingress rule for the MKS node groups security group | map(obj) | {} | no |
| cluster_security_group_egress_rule | Egress rule for the MKS cluster security group | map(obj) | {} | no |
| node_security_group_egress_rule | Egress rule for the MKS node groups security group | map(obj) | {} | no |
| subnet_ids | A list of subnet IDs where the nodes/node groups will be provisioned (required when create_vpc = false) | list(string) | [] | no |
| control_plane_subnet_ids | List of subnet IDs where the MKS cluster control plane will be provisioned. If it’s not provided, the MKS cluster will be provisioned in subnets_ids. | list(string) | [] | no |
| node_groups | List of node groups to be created | list(object) | [] | no |
| bastion_public_access_cidrs | CIDR blocks allowed to access the Bastion host | list(string) | ["0.0.0.0/0"] | no |
| bastion_ssh_port | The SSH port for the Bastion host. | number | 4222 | no |
| bastion_instance_type | The instance type of the Bastion host. Find the list of available instance types | string | "g1.small" | no |
| bastion_subnet_id | The ID of the subnet to be used for the Bastion host. | string | null | no |
| bastion_volume_size | The size of the volume for the Bastion host. | number | 30 | no |
| bastion_image_id | The AMI ID of the Bastion host. | string | null | no |
| bastion_state | The state of the Bastion host. | string | "stopped" | no |
| bastion_volume_type | The volume type for the Bastion host. | string | "gp2" | no |
| external_bastion_eip_id | The ID of the Elastic IP to be used for the Bastion host. | string | "eipalloc-abcdefghi123" | no |
| enable_irsa | To create OIDC provider that will be used by MKS cluster | bool | true | no |
| enabled_vpc_endpoint | List of VPC endpoint services to be enabled | list(string) | ["s3", "ec2", "ecr.api", "ecr.dkr", "eks", "kms", "logs", "elasticloadbalancing", "autoscaling"] | no |
| oidc_provider_audiences | The audiences for the OIDC provider. | list(string) | [] | no |
Examples
Basic Usage
module "mks_cluster" {
source = "https://srin-s3-terraform-modules.s3.ap-southeast-1.amazonaws.com/terraform-kosmos-mks-vX.Y.Z.tar.gz"
fleet_name = "production-fleet"
cluster_name = "prod-mks-cluster"
kosmos_user = "admin-user"
spc_region = "ap-southeast-1"
oidc_provider_arn = "arn:aws:iam::111222333444:oidc-provider/console.kosmos.spcplatform.com/kosmos-oidc"
public_access_cidrs = ["172.217.160.227/32"]
}
Custom VPC Usage
module "mks_cluster" {
source = "https://srin-s3-terraform-modules.s3.ap-southeast-1.amazonaws.com/terraform-kosmos-mks-vX.Y.Z.tar.gz"
create_vpc = false
vpc_id = "vpc-abcdefghi12345678"
bastion_subnet_id = "subnet-abcdefghi12345678"
subnet_ids = [ "subnet-abcdefghi12345678", "subnet-12345678abcdefghi" ]
control_plane_subnet_ids = [ "subnet-abcdefghi12345678", "subnet-12345678abcdefghi" ]
create_cluster_security_group = false
create_node_groups_security_group = false
cluster_security_group_ids = [ "sg-abcdefghi12345678" ]
node_groups_security_group_ids = [ "sg-abcdefghi12345678" ]
fleet_name = "staging-fleet"
cluster_name = "staging-mks-cluster"
kosmos_user = "dev-team"
spc_region = "ap-southeast-1"
oidc_provider_arn = "arn:aws:iam::111222333444:oidc-provider/console.kosmos.spcplatform.com/kosmos-oidc"
public_access_cidrs = ["172.217.160.227/32"]
}
Advanced Configuration
module "mks_cluster" {
source = "https://srin-s3-terraform-modules.s3.ap-southeast-1.amazonaws.com/terraform-kosmos-mks-vX.Y.Z.tar.gz"
create_vpc = false
vpc_id = "vpc-abcdefghi12345678"
bastion_subnet_id = "subnet-abcdefghi12345678"
subnet_ids = [ "subnet-abcdefghi12345678", "subnet-12345678abcdefghi" ]
control_plane_subnet_ids = [ "subnet-abcdefghi12345678", "subnet-12345678abcdefghi" ]
create_cluster_security_group = false
create_node_groups_security_group = false
cluster_security_group_ids = [ "sg-abcdefghi12345678" ]
node_groups_security_group_ids = [ "sg-abcdefghi12345678" ]
fleet_name = "staging-fleet"
cluster_name = "staging-mks-cluster"
kosmos_user = "dev-team"
spc_region = "ap-southeast-1"
oidc_provider_arn = "arn:aws:iam::111222333444:oidc-provider/console.kosmos.spcplatform.com/kosmos-oidc"
public_access_cidrs = ["172.217.160.227/32"]
# Custom node groups
node_groups = [
{
node_group_name = "nodeGroup1"
min_size = 1
max_size = 3
desired_size = 1
disk_size = 30
instance_type = "m5.large"
image_id = null
gpu = false
request_spot_instances = false
}
]
}
Fully Private Cluster
- Disabled NAT Gateway by setting
enable_nat_gatewaytofalse - Setting up the minimum VPC Endpoint required
- Setting up the minimum Security group permission as shown below. When create_vpc is set to
true, the rules will be added automatically. When create_vpc is set tofalse, you need to define the rules manually. Refer to the created resource .
module "mks" {
source = "https://srin-s3-terraform-modules.s3.ap-southeast-1.amazonaws.com/terraform-kosmos-mks-vX.Y.Z.tar.gz"
create_vpc = true
enable_nat_gateway = false
enabled_vpc_endpoint = ["s3", "ec2", "ecr.api", "ecr.dkr", "eks", "kms", "logs", "elasticloadbalancing", "autoscaling"]
# Additional Security Group Rule
cluster_security_group_ingress_rule = {}
cluster_security_group_egress_rule = {}
node_security_group_ingress_rule = {}
node_security_group_egress_rule = {}
# ... other variables
}
Semi Private Cluster
- Enabled NAT Gateway by setting
enable_nat_gatewaytotrue - Defined the Security group permission
- Setting up the minimum VPC Endpoint required
module "mks" {
source = "https://srin-s3-terraform-modules.s3.ap-southeast-1.amazonaws.com/terraform-kosmos-mks-vX.Y.Z.tar.gz"
create_vpc = true
enable_nat_gateway = true
enabled_vpc_endpoint = ["s3", "ec2", "ecr.api", "ecr.dkr", "eks", "kms", "logs", "elasticloadbalancing", "autoscaling"]
cluster_security_group_ingress_rule = {}
cluster_security_group_egress_rule = {}
node_security_group_ingress_rule = {}
node_security_group_egress_rule = {
allow_all_https_traffic = {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow all https outbound"
}
}
# ... other variables
}
Resources Created
SPC Infrastructure
- VPC: Virtual Private Cloud with custom CIDR
- Subnets: Private and public subnets across availability zones
- Route Tables: Network routing configuration
- Internet Gateway: Internet connectivity for public subnets
- NAT Gateway: Outbound internet access for private subnets
- Security Groups: Network security rules
Cluster Resources
- MKS Cluster: Managed Kubernetes cluster
- Node Groups: Worker node configurations
- IAM Roles: Service accounts and permissions
- IAM Policies: Security and operational policies
Security & Compliance
- KMS Keys: Encryption keys for data protection
- S3 Buckets: Logging and data storage with encryption
- VPC Flow Logs: Network traffic monitoring
- Security Groups: Network access controls
Monitoring & Logging
- CloudWatch Log Groups: Application and system logs
- S3 Bucket: Centralized logging storage
- VPC Flow Logs: Network traffic analysis
Security Features
Built-in Security Compliance
The module implements Samsung Security Checklist requirements:
- Instance Metadata Service: IMDSv2 enforcement
- Network Security: Private API endpoints with controlled public access
- Data Encryption: S3 bucket encryption and KMS key management
- Access Control: IAM roles and policies with least privilege
- Logging: Comprehensive audit and access logging
- Data Retention: Automated lifecycle policies for data management
Security Configurations
# Instance Metadata Service (IMDSv2)
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 2
}
# Network Security
public_access = true
public_access_sources = var.public_access_cidrs
# Data Protection
attach_deny_insecure_transport_policy = true
# Required Tags
tags = {
"SEC_ASSETS_PII" = "N"
"SEC_ASSETS_PUBLIC" = "N"
}
Samsung Security Checklist
List of checklist that conform the Samsung Security Checklist
- EC2
- Instance metadata Service
- Ensure that the vulnerable version of Instance metadata service is not in use (only IMDS V2 should be in use, and if not necessary, Instance metadata service should be disabled)
- Instance metadata Service
- EKS
- Cluster Management
- Ensure that “Secrets encryption” is turned on
- Networking Management
- Ensure the API Server Endpoint Access is private and accept the requests only from the EKS VPC
- If the value of “API server endpoint access” is ‘Public’, ensure that the required access targets are limited.
- Logging Management
- Cluster Management
- S3 Bucket Data Protection
- In-Transit Encrypted
- Ensure that S3 buckets use encrypted communication protocol (HTTPS)
- In-Transit Encrypted
- S3 Bucket Management
- S3 Assets Management (Required Tags)
- Ensure that the required tags are attached to all the S3 buckets.
- Data Retention Policy
- Ensure that lifecycle rule is set on confidential/personal information containing S3 buckets to delete the data periodically.
- S3 Assets Management (Required Tags)
- Logging Configuration
- Enabling VPC Flow logs
- Ensure that the VPC Flow logs is enabled to log.
- Enabling VPC Flow logs
- KMS
- Key generation
- Ensure that keys are dedicated for the sole purpose
- Key Rotation Configuration
- Ensure that the Key Rotation is activated.
- Key generation
List of checklist that does not conform to the Samsung Security Checklist
- VPC Configuration
- Private Subnet Access Control
- Check if nat is connected to routetables of private subnet.
violation is due to NAT gateway being needed for EKS cluster to connect towards Kosmos' control plane & to pull container images
- Check if nat is connected to routetables of private subnet.
- Private Subnet Access Control
- Network ACLs & Security groups
- Security Group Management
- Ensure that Security Group’s inbound / outbound rules comply the following management policy.
- A Policy allowing wide range of CIDR blocks (exceeding 24 bit mask)
- Do not use anywhere outbound (0.0.0.0/0)
- A Policy allowing all ports
- Ensure that Security Group’s inbound / outbound rules comply the following management policy.
- SG Description Management
- Ensure that Inbound / Outbound rules of the Security Groups have the mandatory description
The MKS default security group is causing this violation.
- Security Group Management
- EKS
- Security Group Management
- Ensure that Cluster’s security groups only allow the communications necessary for the EKS Cluster.
The MKS default security group is not managed by Terraform.
- Security Group Management
Required Permissions
KMS Permissions
kms:CreateKey, kms:DescribeKey, kms:EnableKey, kms:DisableKey
kms:ScheduleKeyDeletion, kms:CancelKeyDeletion, kms:CreateAlias
kms:DeleteAlias, kms:UpdateAlias, kms:ListAliases, kms:PutKeyPolicy
kms:GetKeyPolicy, kms:ListKeys
IAM Permissions
iam:CreateRole, iam:GetRole, iam:DeleteRole, iam:UpdateAssumeRolePolicy
iam:AttachRolePolicy, iam:DetachRolePolicy, iam:ListAttachedRolePolicies
iam:PassRole, iam:CreatePolicy, iam:DeletePolicy, iam:GetPolicy
iam:ListPolicyVersions, iam:CreatePolicyVersion, iam:DeletePolicyVersion
iam:SetDefaultPolicyVersion, iam:CreateOpenIDConnectProvider
iam:DeleteOpenIDConnectProvider, iam:GetOpenIDConnectProvider
S3 Permissions
s3:CreateBucket, s3:DeleteBucket, s3:PutBucketAcl, s3:GetBucketAcl
s3:PutBucketPolicy, s3:GetBucketPolicy, s3:PutBucketPublicAccessBlock
s3:GetBucketPublicAccessBlock, s3:PutBucketVersioning, s3:GetBucketVersioning
s3:PutBucketLogging, s3:GetBucketLogging, s3:PutBucketLifecycleConfiguration
s3:GetBucketLifecycleConfiguration, s3:PutEncryptionConfiguration
s3:GetEncryptionConfiguration, s3:PutBucketTagging, s3:GetBucketTagging
VPC Permissions
ec2:CreateVpc, ec2:DeleteVpc, ec2:DescribeVpcs, ec2:ModifyVpcAttribute
ec2:CreateSubnet, ec2:DeleteSubnet, ec2:DescribeSubnets, ec2:CreateRouteTable
ec2:DeleteRouteTable, ec2:AssociateRouteTable, ec2:DisassociateRouteTable
ec2:CreateRoute, ec2:DeleteRoute, ec2:ReplaceRoute, ec2:CreateInternetGateway
ec2:AttachInternetGateway, ec2:DetachInternetGateway, ec2:DeleteInternetGateway
ec2:CreateNatGateway, ec2:DeleteNatGateway, ec2:DescribeNatGateways
ec2:AllocateAddress, ec2:ReleaseAddress, ec2:CreateSecurityGroup
ec2:DeleteSecurityGroup, ec2:AuthorizeSecurityGroupIngress, ec2:RevokeSecurityGroupIngress
ec2:AuthorizeSecurityGroupEgress, ec2:RevokeSecurityGroupEgress, ec2:CreateNetworkAcl
ec2:DeleteNetworkAcl, ec2:CreateNetworkAclEntry, ec2:DeleteNetworkAclEntry
ec2:AssociateNetworkAcl, ec2:DisassociateNetworkAcl, ec2:CreateVpcEndpoint
ec2:DeleteVpcEndpoints, ec2:DescribeVpcEndpoints, ec2:CreateFlowLogs
ec2:DeleteFlowLogs, ec2:DescribeFlowLogs, ec2:DescribeNetworkInterfaces
ec2:DescribeTags, ec2:DescribeRouteTables, ec2:DescribeVpcs, ec2:DescribeSecurityGroups
ec2:CreateTags, ec2:DescribeAvailabilityZones
MKS Permissions
eks:*, autoscaling:CreateAutoScalingGroup, autoscaling:UpdateAutoScalingGroup
autoscaling:DeleteAutoScalingGroup, autoscaling:DescribeAutoScalingGroups
logs:CreateLogGroup, logs:PutRetentionPolicy, logs:DescribeLogGroups