starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/security-firewall-options.rst
egoncalv 5579744656 Editorial updates on Security Guide upstream 
Acted on Greg's comments

Patch 1: Deleted duplicated docs and corrected references to fix build failure

Patch 2: Acted on Greg's and Ron's comments.

Patch 3: Acted on Greg's comment.

Patch 4: Acted on Mary's comments.

Patch 5: Solved merge conflict.

Patch 6: Worked on Mary's comments.

Patch 7: Fixed build conflict.

Patch 8: Worked on Mary's comments.

https://review.opendev.org/c/starlingx/docs/+/792461

Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com>
Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4
2021-06-02 12:28:10 -03:00

2.9 KiB
Raw Blame History

Modify Firewall Options

incorporates a default firewall for the network. You can configure additional Kubernetes Network Policies in order to augment or override the default rules.

The firewall uses the Kubernetes Network Policies (using the Calico ) to implement a firewall on the network.

A minimal set of rules is always applied before any custom rules, as follows:

  • Non- traffic is always accepted.
  • Egress traffic is always accepted.
  • traffic is always accepted.
  • traffic is always accepted.

You can introduce custom rules by creating and installing custom Kubernetes Network Policies.

The following example opens up default HTTPS port 443.

% cat <<EOF > gnp-oam-overrides.yaml
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: gnp-oam-overrides
spec:
  ingress:
  - action: Allow
    destination:
      ports:
      - 443
    protocol: TCP
  order: 500
  selector: has(iftype) && iftype == 'oam'
  types:
  - Ingress
EOF

It can be applied using the kubectl apply command. For example:

$ kubectl apply -f gnp-oam-overrides.yaml

You can confirm the policy was applied properly using the kubectl describe command. For example:

$ kubectl describe globalnetworkpolicy gnp-oam-overrides
Name:         gnp-oam-overrides
Namespace:
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"gnp-openstack-oam"},"spec...
API Version:  crd.projectcalico.org/v1
Kind:         GlobalNetworkPolicy
Metadata:
  Creation Timestamp:  2019-05-16T13:07:45Z
  Generation:          1
  Resource Version:    296298
  Self Link:           /apis/crd.projectcalico.org/v1/globalnetworkpolicies/gnp-openstack-oam
  UID:                 98a324ab-77db-11e9-9f9f-a4bf010007e9
Spec:
  Ingress:
    Action:  Allow
    Destination:
      Ports:
        443
    Protocol:  TCP
  Order:       500
  Selector:    has(iftype) && iftype == 'oam'
  Types:
    Ingress
Events:  <none>

For information about yaml rule syntax, see : Modifying OAM Firewall Rules <modifying-oam-firewall-rules>.

For the default rules used by see : Default Firewall Rules <security-default-firewall-rules>.

For a full description of GNP syntax, see https://docs.projectcalico.org/v3.6/reference/calicoctl/resources/globalnetwo rkpolicy <https://docs.projectcalico.org/v3.6/reference/calicoctl/resources/globalnetwo rkpolicy>__.