PinHouse · doup2001 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026
diff --git a/k8s-helm/.gitignore b/k8s-helm/.gitignore
@@ -0,0 +1,18 @@
+# ========================================
+# 로컬 시크릿 매니페스트
+# ========================================
+releases/**/secrets/*.yaml
+!releases/**/secrets/*.yaml.example
+
+# ========================================
+# 로컬 오버라이드 파일
+# ========================================
+*.local.yaml
+*.local.yml
+*.secret.yaml
+*.secret.yml
+
+# ========================================
+# 릴리스 로컬 문서
+# ========================================
+releases/*/README.md
diff --git a/k8s-helm/releases/calico/values-nonprod.yaml b/k8s-helm/releases/calico/values-nonprod.yaml
@@ -0,0 +1,8 @@
+installation:
+  calicoNetwork:
+    bgp: Disabled
+    ipPools:
+      - cidr: 192.168.0.0/16
+        encapsulation: VXLAN
+        natOutgoing: Enabled
+        nodeSelector: all()
diff --git a/k8s-helm/releases/calico/values-prod.yaml b/k8s-helm/releases/calico/values-prod.yaml
@@ -0,0 +1,8 @@
+installation:
+  calicoNetwork:
+    bgp: Disabled
+    ipPools:
+      - cidr: 192.168.0.0/16
+        encapsulation: VXLAN
+        natOutgoing: Enabled
+        nodeSelector: all()
diff --git a/terraform/.gitignore b/terraform/.gitignore
@@ -27,5 +27,5 @@ terraform.rc
 # Ignore backup files
 *.backup
 
-# Ignore lock files (optional - 팀에서 결정)
-# .terraform.lock.hcl
+# Ignore lock files
+.terraform.lock.hcl
diff --git a/terraform/environments/prod/compute.tf b/terraform/environments/prod/compute.tf
@@ -24,7 +24,12 @@ module "k8s_master_nodes" {
   boot_disk_size_gb  = var.k8s_node_boot_disk_size_gb
   boot_disk_type     = "pd-balanced"
   enable_external_ip = false
-  tags               = ["k8s-master", var.environment]
+  startup_script = templatefile("${path.module}/scripts/k8s-master-init.sh", {
+    k8s_pod_cidr     = var.k8s_pod_cidr
+    k8s_service_cidr = var.k8s_service_cidr
+    calico_version   = var.calico_version
+  })
+  tags = ["k8s-master", var.environment]
 
   # 태그
   common_tags = merge(var.common_tags, {
@@ -45,7 +50,8 @@ module "k8s_master_nodes" {
 module "k8s_worker_nodes" {
   source = "../../modules/compute"
 
-  name_prefix = "${var.project}-${var.environment}-k8s-worker"
+  # 서브넷 이동은 MIG 인플레이스 업데이트가 불가하므로 새 이름으로 교체합니다.
+  name_prefix = "${var.project}-${var.environment}-k8s-workers"
   network     = module.vpc.vpc_self_link
   subnetwork  = module.vpc.subnets["app"].self_link
 
@@ -68,6 +74,7 @@ module "k8s_worker_nodes" {
   boot_disk_size_gb  = var.k8s_node_boot_disk_size_gb
   boot_disk_type     = "pd-balanced"
   enable_external_ip = false
+  startup_script     = file("${path.module}/scripts/k8s-worker-init.sh")
   tags               = ["k8s-worker", var.environment]
 
   # 태그

diff --git a/terraform/environments/prod/firewall.tf b/terraform/environments/prod/firewall.tf
@@ -0,0 +1,177 @@
+# ========================================
+# 프로덕션 방화벽 값
+# ========================================
+locals {
+  prod_firewall_rules = merge(
+    {
+      # 워커 노드가 외부 HTTP 트래픽을 받을 수 있도록 허용합니다.
+      allow_http = {
+        name = "${var.vpc_name}-allow-http"
+        allow = [
+          {
+            protocol = "tcp"
+            ports    = ["80"]
+          }
+        ]
+        source_ranges = ["0.0.0.0/0"]
+        target_tags   = ["k8s-worker"]
+        priority      = 1000
+      }
+
+      # 워커 노드가 외부 HTTPS 트래픽을 받을 수 있도록 허용합니다.
+      allow_https = {
+        name = "${var.vpc_name}-allow-https"
+        allow = [
+          {
+            protocol = "tcp"
+            ports    = ["443"]
+          }
+        ]
+        source_ranges = ["0.0.0.0/0"]
+        target_tags   = ["k8s-worker"]
+        priority      = 1000
+      }
+
+      # 마스터와 워커 노드가 Kubernetes API 서버에 접근할 수 있도록 허용합니다.
+      allow_k8s_api_from_nodes = {
+        name = "${var.vpc_name}-allow-k8s-api-from-nodes"
+        allow = [
+          {
+            protocol = "tcp"
+            ports    = ["6443"]
+          }
+        ]
+        source_tags = ["k8s-master", "k8s-worker"]
+        target_tags = ["k8s-master"]
+        priority    = 1000
+      }
+
+      # 마스터 노드 간 etcd와 컨트롤 플레인 포트를 허용합니다.
+      allow_k8s_control_plane = {
+        name = "${var.vpc_name}-allow-k8s-control-plane"
+        allow = [
+          {
+            protocol = "tcp"
+            ports    = ["2379-2380", "10250", "10257", "10259"]
+          }
+        ]
+        source_tags = ["k8s-master"]
+        target_tags = ["k8s-master"]
+        priority    = 1000
+      }
+
+      # 마스터 노드가 워커 노드 kubelet에 접근할 수 있도록 허용합니다.
+      allow_kubelet_from_control_plane = {
+        name = "${var.vpc_name}-allow-kubelet-from-control-plane"
+        allow = [
+          {
+            protocol = "tcp"
+            ports    = ["10250"]
+          }
+        ]
+        source_tags = ["k8s-master"]
+        target_tags = ["k8s-worker"]
+        priority    = 1000
+      }
+
+      # 노드 간 kube-proxy 헬스 및 프록시 포트를 허용합니다.
+      allow_kube_proxy_from_nodes = {
+        name = "${var.vpc_name}-allow-kube-proxy-from-nodes"
+        allow = [
+          {
+            protocol = "tcp"
+            ports    = ["10256"]
+          }
+        ]
+        source_tags = ["k8s-master", "k8s-worker"]
+        target_tags = ["k8s-worker"]
+        priority    = 1000
+      }
+
+      # Calico BGP 피어링에 필요한 TCP 179 포트를 허용합니다.
+      allow_calico_bgp = {
+        name = "${var.vpc_name}-allow-calico-bgp"
+        allow = [
+          {
+            protocol = "tcp"
+            ports    = ["179"]
+          }
+        ]
+        source_tags = ["k8s-master", "k8s-worker"]
+        target_tags = ["k8s-master", "k8s-worker"]
+        priority    = 1000
+      }
+
+      # Calico IP-in-IP 터널링 트래픽을 허용합니다.
+      allow_calico_ipip = {
+        name = "${var.vpc_name}-allow-calico-ipip"
+        allow = [
+          {
+            protocol = "ipip"
+          }
+        ]
+        source_tags = ["k8s-master", "k8s-worker"]
+        target_tags = ["k8s-master", "k8s-worker"]
+        priority    = 1000
+      }
+
+      # Pod CIDR 대역에서 노드로 들어오는 Calico 워크로드 트래픽을 허용합니다.
+      allow_calico_pod_cidr = {
+        name = "${var.vpc_name}-allow-calico-pod-cidr"
+        allow = [
+          {
+            protocol = "tcp"
+            ports    = ["0-65535"]
+          },
+          {
+            protocol = "udp"
+            ports    = ["0-65535"]
+          },
+          {
+            protocol = "icmp"
+          }
+        ]
+        source_ranges = [var.k8s_pod_cidr]
+        target_tags   = ["k8s-master", "k8s-worker"]
+        priority      = 1000
+      }
+    },
+    var.enable_iap_ssh ? {
+      # IAP TCP 터널을 통한 SSH 접근을 허용합니다.
+      allow_iap_ssh = {
+        name = "${var.vpc_name}-allow-iap-ssh"
+        allow = [
+          {
+            protocol = "tcp"
+            ports    = ["22"]
+          }
+        ]
+        source_ranges = var.iap_ssh_source_ranges
+        target_tags   = var.management_target_tags
+        priority      = 1000
+      }
+    } : {},
+    {
+      # Kubernetes 노드 태그를 가진 인스턴스끼리 내부 통신을 허용합니다.
+      allow_internal = {
+        name = "${var.vpc_name}-allow-internal"
+        allow = [
+          {
+            protocol = "tcp"
+            ports    = ["0-65535"]
+          },
+          {
+            protocol = "udp"
+            ports    = ["0-65535"]
+          },
+          {
+            protocol = "icmp"
+          }
+        ]
+        source_tags = ["k8s-master", "k8s-worker"]
+        target_tags = ["k8s-master", "k8s-worker"]
+        priority    = 65534
+      }
+    }
+  )
+}
diff --git a/terraform/environments/prod/iap.tf b/terraform/environments/prod/iap.tf
@@ -0,0 +1,13 @@
+# ========================================
+# IAP SSH 접근 모듈
+# ========================================
+module "iap_access" {
+  source = "../../modules/iap-access"
+
+  project_id = var.project_id
+
+  enable_iap_ssh        = var.enable_iap_ssh
+  iap_ssh_members       = var.iap_ssh_members
+  iap_ssh_admin_members = var.iap_ssh_admin_members
+  service_account_email = var.service_account_email
+}
diff --git a/terraform/environments/prod/outputs.tf b/terraform/environments/prod/outputs.tf
@@ -64,3 +64,31 @@ output "load_balancer_ip" {
   description = "로드 밸런서 IP 주소입니다."
   value       = var.create_load_balancer ? module.load_balancer[0].forwarding_rule_ip_address : null
 }
+
+# ========================================
+# IAP 접근 출력값
+# ========================================
+output "iap_ssh_configuration" {
+  description = "IAP SSH 접근 구성 정보입니다."
+  value = {
+    enabled           = var.enable_iap_ssh
+    source_ranges     = var.enable_iap_ssh ? var.iap_ssh_source_ranges : []
+    target_tags       = var.management_target_tags
+    members           = module.iap_access.iap_access_members
+    admin_members     = module.iap_access.iap_admin_members
+    direct_ssh_ranges = var.ssh_source_ranges
+  }
+}
+
+# ========================================
+# Kubernetes 네트워크 출력값
+# ========================================
+output "k8s_network_configuration" {
+  description = "Kubernetes 및 Calico 네트워크 구성 정보입니다."
+  value = {
+    pod_cidr       = var.k8s_pod_cidr
+    service_cidr   = var.k8s_service_cidr
+    calico_version = var.calico_version
+    encapsulation  = "IPIP"
+  }
+}