edf05c3460
- Added information to allow operator firewall customization update for all platform networks. - Minor updates. - Editorial fixes. - Added one new item in the abbrevs.txt file. - Minor fix. Story: 2010591 Task: 48703 Change-Id: I727d7b5412c50e59f97839f62ef03359eff78b81 Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com>
154 lines
5.0 KiB
ReStructuredText
154 lines
5.0 KiB
ReStructuredText
|
|
.. zlk1582057887959
|
|
.. _security-firewall-options:
|
|
|
|
=======================
|
|
Modify Firewall Options
|
|
=======================
|
|
|
|
|prod| incorporates a default firewall for the platform networks (|OAM|,
|
|
management, cluster-host, pxeboot, admin, and storage). You can configure
|
|
additional Kubernetes Network Policies to augment or override the default rules.
|
|
|
|
The |prod| firewall uses the Kubernetes Network Policies (using the Calico
|
|
|CNI|) to implement a firewall on the desired platform network.
|
|
|
|
The available labels to place the new ``GlobalNetworkPolicy`` selectors are:
|
|
|
|
|
|
.. _security-firewall-options-ul-xw2-qkw-g3b:
|
|
|
|
``ifname``
|
|
nodename.interface-name e.g.: controller-0.mgmt0
|
|
|
|
``iftype``
|
|
mgmt, admin, cluster-host, pxeboot, storage
|
|
|
|
``nodetype``
|
|
controller or worker
|
|
|
|
Since a single interface can receive one or more networks, the ``iftype`` label
|
|
concatenates with "." as a separator, e.g.: ``cluster-host.mgmt.pxeboot`` (for
|
|
this case the host endpoint (``HostEndpoint`` in the example below) will use the
|
|
rules for all |GNPs| that contain those labels in the selector).
|
|
|
|
|
|
To get the installed labels check the host endpoints previously created:
|
|
|
|
.. code-block:: none
|
|
|
|
$ kubectl get hostendpoints.crd.projectcalico.org
|
|
NAME AGE
|
|
controller-0-cluster0-if-hep 8h
|
|
controller-0-mgmt0-if-hep 8h
|
|
controller-0-oam-if-hep 8h
|
|
controller-0-pxeboot0-if-hep 8h
|
|
controller-1-cluster0-if-hep 7h58m
|
|
controller-1-mgmt0-if-hep 7h58m
|
|
controller-1-oam-if-hep 7h58m
|
|
controller-1-pxeboot0-if-hep 7h58m
|
|
|
|
.. code-block:: none
|
|
|
|
$ kubectl get hostendpoints.crd.projectcalico.org controller-0-mgmt0-if-hep -o yaml
|
|
apiVersion: crd.projectcalico.org/v1
|
|
kind: HostEndpoint
|
|
metadata:
|
|
annotations:
|
|
kubectl.kubernetes.io/last-applied-configuration: |
|
|
{"apiVersion":"crd.projectcalico.org/v1","kind":"HostEndpoint","metadata":{"annotations":{},"labels":{"ifname":"controller-0.mgmt0","iftype":"mgmt","nodetype":"controller"},"name":"controller-0-mgmt0-if-hep"},"spec":{"interfaceName":"vlan383","node":"controller-0"}}
|
|
creationTimestamp: "2023-08-03T06:01:50Z"
|
|
generation: 1
|
|
labels:
|
|
ifname: controller-0.mgmt0
|
|
iftype: mgmt
|
|
nodetype: controller
|
|
name: controller-0-mgmt0-if-hep
|
|
resourceVersion: "2861"
|
|
uid: 591694b5-e0ef-4562-a050-000e9473103a
|
|
spec:
|
|
interfaceName: vlan383
|
|
node: controller-0
|
|
|
|
All platform interfaces have a ``HostEndpoint`` attached to it, hence all traffic
|
|
is blocked by default. The ``GlobalNetworkPolicies`` associated with a particular
|
|
``HostEndpoint`` provide the permission rules. All ``GlobalNetworkPolicies`` provided by
|
|
|prod| are set with order 100.
|
|
|
|
|
|
You can introduce custom rules by creating and installing custom Kubernetes
|
|
Network Policies.
|
|
|
|
The following example opens up default HTTPS port 443.
|
|
|
|
.. code-block:: none
|
|
|
|
% cat <<EOF > gnp-oam-overrides.yaml
|
|
apiVersion: crd.projectcalico.org/v1
|
|
kind: GlobalNetworkPolicy
|
|
metadata:
|
|
name: gnp-oam-overrides
|
|
spec:
|
|
ingress:
|
|
- action: Allow
|
|
destination:
|
|
ports:
|
|
protocol: TCP
|
|
order: 500
|
|
selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains 'oam'
|
|
types:
|
|
- Ingress
|
|
EOF
|
|
|
|
It can be applied using the :command:`kubectl` apply command. For example:
|
|
|
|
.. code-block:: none
|
|
|
|
$ kubectl apply -f gnp-oam-overrides.yaml
|
|
|
|
You can confirm the policy was applied properly using the :command:`kubectl`
|
|
describe command. For example:
|
|
|
|
.. code-block:: none
|
|
|
|
$ kubectl describe globalnetworkpolicy gnp-oam-overrides
|
|
Name: gnp-oam-overrides
|
|
Namespace:
|
|
Labels: <none>
|
|
Annotations: kubectl.kubernetes.io/last-applied-configuration:
|
|
{"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"gnp-openstack-oam"},"spec...
|
|
API Version: crd.projectcalico.org/v1
|
|
Kind: GlobalNetworkPolicy
|
|
Metadata:
|
|
Creation Timestamp: 2019-05-16T13:07:45Z
|
|
Generation: 1
|
|
Resource Version: 296298
|
|
Self Link: /apis/crd.projectcalico.org/v1/globalnetworkpolicies/gnp-openstack-oam
|
|
UID: 98a324ab-77db-11e9-9f9f-a4bf010007e9
|
|
Spec:
|
|
Ingress:
|
|
Action: Allow
|
|
Destination:
|
|
Ports:
|
|
443
|
|
Protocol: TCP
|
|
Order: 500
|
|
Selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains 'oam'
|
|
Types:
|
|
Ingress
|
|
Events: <none>
|
|
|
|
.. xbooklink
|
|
|
|
For information about yaml rule syntax, see |sysconf-doc|: :ref:`Modifying OAM Firewall Rules <modifying-oam-firewall-rules>`.
|
|
|
|
For the default rules used by |prod| see |sec-doc|: :ref:`Default Firewall
|
|
Rules <security-default-firewall-rules>`.
|
|
|
|
For a full description of GNP syntax, see
|
|
`https://docs.projectcalico.org/v3.6/reference/calicoctl/resources/globalnetwo
|
|
rkpolicy
|
|
<https://docs.projectcalico.org/v3.6/reference/calicoctl/resources/globalnetwo
|
|
rkpolicy>`__.
|
|
|