.. zlk1582057887959 .. _security-firewall-options: ======================= Modify Firewall Options ======================= |prod| incorporates a default firewall for the platform networks (|OAM|, management, cluster-host, pxeboot, admin, and storage). You can configure additional Kubernetes Network Policies to augment or override the default rules. The |prod| firewall uses the Kubernetes Network Policies (using the Calico |CNI|) to implement a firewall on the desired platform network. The available labels to place the new ``GlobalNetworkPolicy`` selectors are: .. _security-firewall-options-ul-xw2-qkw-g3b: ``ifname`` nodename.interface-name e.g.: controller-0.mgmt0 ``iftype`` mgmt, admin, cluster-host, pxeboot, storage ``nodetype`` controller or worker Since a single interface can receive one or more networks, the ``iftype`` label concatenates with "." as a separator, e.g.: ``cluster-host.mgmt.pxeboot`` (for this case the host endpoint (``HostEndpoint`` in the example below) will use the rules for all |GNPs| that contain those labels in the selector). To get the installed labels check the host endpoints previously created: .. code-block:: none $ kubectl get hostendpoints.crd.projectcalico.org NAME AGE controller-0-cluster0-if-hep 8h controller-0-mgmt0-if-hep 8h controller-0-oam-if-hep 8h controller-0-pxeboot0-if-hep 8h controller-1-cluster0-if-hep 7h58m controller-1-mgmt0-if-hep 7h58m controller-1-oam-if-hep 7h58m controller-1-pxeboot0-if-hep 7h58m .. code-block:: none $ kubectl get hostendpoints.crd.projectcalico.org controller-0-mgmt0-if-hep -o yaml apiVersion: crd.projectcalico.org/v1 kind: HostEndpoint metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"crd.projectcalico.org/v1","kind":"HostEndpoint","metadata":{"annotations":{},"labels":{"ifname":"controller-0.mgmt0","iftype":"mgmt","nodetype":"controller"},"name":"controller-0-mgmt0-if-hep"},"spec":{"interfaceName":"vlan383","node":"controller-0"}} creationTimestamp: "2023-08-03T06:01:50Z" generation: 1 labels: ifname: controller-0.mgmt0 iftype: mgmt nodetype: controller name: controller-0-mgmt0-if-hep resourceVersion: "2861" uid: 591694b5-e0ef-4562-a050-000e9473103a spec: interfaceName: vlan383 node: controller-0 All platform interfaces have a ``HostEndpoint`` attached to it, hence all traffic is blocked by default. The ``GlobalNetworkPolicies`` associated with a particular ``HostEndpoint`` provide the permission rules. All ``GlobalNetworkPolicies`` provided by |prod| are set with order 100. You can introduce custom rules by creating and installing custom Kubernetes Network Policies. The following example opens up default HTTPS port 443. .. code-block:: none % cat < gnp-oam-overrides.yaml apiVersion: crd.projectcalico.org/v1 kind: GlobalNetworkPolicy metadata: name: gnp-oam-overrides spec: ingress: - action: Allow destination: ports: protocol: TCP order: 500 selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains 'oam' types: - Ingress EOF It can be applied using the :command:`kubectl` apply command. For example: .. code-block:: none $ kubectl apply -f gnp-oam-overrides.yaml You can confirm the policy was applied properly using the :command:`kubectl` describe command. For example: .. code-block:: none $ kubectl describe globalnetworkpolicy gnp-oam-overrides Name: gnp-oam-overrides Namespace: Labels: Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"gnp-openstack-oam"},"spec... API Version: crd.projectcalico.org/v1 Kind: GlobalNetworkPolicy Metadata: Creation Timestamp: 2019-05-16T13:07:45Z Generation: 1 Resource Version: 296298 Self Link: /apis/crd.projectcalico.org/v1/globalnetworkpolicies/gnp-openstack-oam UID: 98a324ab-77db-11e9-9f9f-a4bf010007e9 Spec: Ingress: Action: Allow Destination: Ports: 443 Protocol: TCP Order: 500 Selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains 'oam' Types: Ingress Events: .. xbooklink For information about yaml rule syntax, see |sysconf-doc|: :ref:`Modifying OAM Firewall Rules `. For the default rules used by |prod| see |sec-doc|: :ref:`Default Firewall Rules `. For a full description of GNP syntax, see `https://docs.projectcalico.org/v3.6/reference/calicoctl/resources/globalnetwo rkpolicy `__.