Added support for failsafe rules

- Global policies placed under type/airship-code/network-policies - site level policies/modifications placed under <site>/network-policies Change-Id: Ic8245d3263a867babd29773540175f8646e193e0
2021-02-15 07:06:05 +00:00 · 2021-02-15 07:06:05 +00:00 · f61bfd70a8
commit f61bfd70a8
parent 138f3c0dc0
8 changed files with 190 additions and 0 deletions
--- a/manifests/site/test-site/target/network-policies/README.md
+++ b/manifests/site/test-site/target/network-policies/README.md
@ -0,0 +1,19 @@
+# Network Policy  in calico
+
+Restricting traffic between hosts and the outside world can be achieved
+using the following Calico features:
+
+* HostEndpoint resource
+* GlobalNetworkPolicy
+* FelixConfiguration resource with parameters:
+  -FailsafeInboundHostPorts
+  -FailsafeOutboundHostPorts
+Generally a cluster-wide policy is applied to every host.
+
+This site based manifest is designed to override the default global
+FelixConfiguration based in function directory.
+
+For more information on failsafe rules please refer below.
+
+[Host Protection in Calico](https://docs.projectcalico.org/security/protect-hosts)
+
--- a/manifests/site/test-site/target/network-policies/calico_failsafe_rules_patch.yaml
+++ b/manifests/site/test-site/target/network-policies/calico_failsafe_rules_patch.yaml
@ -0,0 +1,43 @@
+apiVersion: projectcalico.org/v3
+kind: FelixConfiguration
+metadata:
+  name: default
+spec:
+  failsafeInboundHostPorts:
+  - protocol: tcp
+    port: 22
+  - protocol: udp
+    port: 68
+  - protocol: tcp
+    port: 179
+  - protocol: tcp
+    port: 2379
+  - protocol: tcp
+    port: 2380
+  - protocol: tcp
+    port: 5473
+  - protocol: tcp
+    port: 6443
+  - protocol: tcp
+    port: 6666
+  - protocol: tcp
+    port: 6667
+  failsafeOutboundHostPorts:
+  - protocol: udp
+    port: 53
+  - protocol: udp
+    port: 67
+  - protocol: tcp
+    port: 179
+  - protocol: tcp
+    port: 2379
+  - protocol: tcp
+    port: 2380
+  - protocol: tcp
+    port: 5473
+  - protocol: tcp
+    port: 6443
+  - protocol: tcp
+    port: 6666
+  - protocol: tcp
+    port: 6667
--- a/manifests/site/test-site/target/network-policies/kustomization.yaml
+++ b/manifests/site/test-site/target/network-policies/kustomization.yaml
@ -0,0 +1,5 @@
+resources:
+  - ../../../../type/airship-core/network-policies
+
+patchesStrategicMerge:
+  - calico_failsafe_rules_patch.yaml
--- a/manifests/type/airship-core/network-policies/README.md
+++ b/manifests/type/airship-core/network-policies/README.md
@ -0,0 +1,16 @@
+# Failsafe rules in calico
+
+It is easy to inadvertently cut all host connectivity because of
+non-existent or misconfigured network policy. To avoid this,
+Calico provides failsafe rules with default/configurable ports
+that are open on all host endpoints.
+
+The manifest in this directory is planned to disable FailsafeInboundHostPorts
+and FailsafeOutboundHostPorts by setting it none. This could be overriden in
+the respective site manifests.
+
+
+For more information on failsafe rules please refer below.
+
+[Host Protection in Calico](https://docs.projectcalico.org/security/protect-hosts)
+
--- a/manifests/type/airship-core/network-policies/felixconfiguration.yaml
+++ b/manifests/type/airship-core/network-policies/felixconfiguration.yaml
@ -0,0 +1,50 @@
+# Note: These are the default values, re-specifying them here for example purposes
+# To set failsafeOutboundHostPorts and InboundHostPorts to none set the spec as follows
+#      spec:
+#        failsafeInboundHostPorts:
+#        failsafeOutboundHostPorts:
+# Refer https://docs.projectcalico.org/reference/felix/configuration for more details.
+
+apiVersion: projectcalico.org/v3
+kind: FelixConfiguration
+metadata:
+  name: default
+spec:
+  failsafeInboundHostPorts:
+  - protocol: tcp
+    port: 22
+  - protocol: udp
+    port: 68
+  - protocol: tcp
+    port: 179
+  - protocol: tcp
+    port: 2379
+  - protocol: tcp
+    port: 2380
+  - protocol: tcp
+    port: 5473
+  - protocol: tcp
+    port: 6443
+  - protocol: tcp
+    port: 6666
+  - protocol: tcp
+    port: 6667
+  failsafeOutboundHostPorts:
+  - protocol: udp
+    port: 53
+  - protocol: udp
+    port: 67
+  - protocol: tcp
+    port: 179
+  - protocol: tcp
+    port: 2379
+  - protocol: tcp
+    port: 2380
+  - protocol: tcp
+    port: 5473
+  - protocol: tcp
+    port: 6443
+  - protocol: tcp
+    port: 6666
+  - protocol: tcp
+    port: 6667
--- a/manifests/type/airship-core/network-policies/kustomization.yaml
+++ b/manifests/type/airship-core/network-policies/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+  - felixconfiguration.yaml
--- a/tools/deployment/02_install_calicoctl.sh
+++ b/tools/deployment/02_install_calicoctl.sh
@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -xe
+
+: ${CALICOCTL_VERSION:="v3.17.3"}
+curl -O -L  https://github.com/projectcalico/calicoctl/releases/download/v3.17.3/calicoctl
+
+# Install kubectl
+URL="https://github.com/projectcalico"
+sudo -E curl -sSLo /usr/local/bin/calicoctl \
+  "${URL}"/calicoctl/releases/download/"${CALICOCTL_VERSION}"/calicoctl
+
+sudo -E chmod +x /usr/local/bin/calicoctl
--- a/tools/deployment/40_deploy_network_policies.sh
+++ b/tools/deployment/40_deploy_network_policies.sh
@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+TMP=$(mktemp -d)
+
+MANIFEST_FILE="$TMP/network-policy.yaml"
+export SITE=${SITE:="test-site"}
+
+export KUBECONFIG=${KUBECONFIG:="$HOME/.airship/kubeconfig"}
+export KUBECONFIG_TARGET_CONTEXT=${KUBECONFIG_TARGET_CONTEXT:="target-cluster"}
+: ${TREASUREMAP_PROJECT:="${PWD}"}
+
+#Generate all of the policies and deploy using calicoctl
+kustomize build --enable_alpha_plugins $TREASUREMAP_PROJECT/manifests/site/$SITE/target/network-policies -o ${MANIFEST_FILE}
+
+#What about per node basis. Also usage of calico apply/replace
+DATASTORE_TYPE=kubernetes calicoctl apply -f ${MANIFEST_FILE}