starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/security-default-firewall-rules.rst
Ron Stone f125a8b892 Remove spurious escapes (r8,dsR8) 
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.

Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
2023-03-01 11:19:04 +00:00

6.0 KiB
Raw Blame History

Default Firewall Rules

applies default firewall rules on the network. The default rules are recommended for most applications.

Traffic is permitted for the following protocols and ports to allow access for platform services. By default, all other traffic is blocked.

You can view the configured firewall rules with the following command:

~(keystone_admin)]$ kubectl describe globalnetworkpolicy
Name:         controller-oam-if-gnp
Namespace:
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-oam-if-gnp"},"spec":...
API Version:  crd.projectcalico.org/v1
Kind:         GlobalNetworkPolicy
Metadata:
  Creation Timestamp:  2019-08-08T20:18:34Z
  Generation:          1
  Resource Version:    1395
  Self Link:           /apis/crd.projectcalico.org/v1/globalnetworkpolicies/controller-oam-if-gnp
  UID:                 b28b74fe-ba19-11e9-9176-ac1f6b0eef28
Spec:
  Apply On Forward:  false
  Egress:
    Action:      Allow
    Ip Version:  4
    Protocol:    TCP
    Action:      Allow
    Ip Version:  4
    Protocol:    UDP
    Action:      Allow
    Protocol:    ICMP
  Ingress:
    Action:  Allow
    Destination:
      Ports:
        22
        18002
        4545
        15491
        6385
        7777
        6443
        9001
        9002
        7480
        9311
        5000
        8080
    Ip Version:  4
    Protocol:    TCP
    Action:      Allow
    Destination:
      Ports:
        2222
        2223
        123
        161
        162
        319
        320
    Ip Version:  4
    Protocol:    UDP
    Action:      Allow
    Protocol:    ICMP
  Order:         100
  Selector:      has(iftype) && iftype == 'oam'
  Types:
    Ingress
    Egress
Events:  <none>

Where:

Protocol Port Service Name
tcp 22 ssh
tcp 8080 horizon (http only)
tcp 8443 horizon (https only)
tcp 5000 keystone-api
tcp 6385

stx-metal

stx-config
tcp 8119 stx-distcloud
tcp 18002 stx-fault
tcp 7777 stx-ha
tcp 4545 stx-nfv
tcp 6443 Kubernetes api server
tcp 9001 Docker registry
tcp 9002 Registry token server
tcp 15491 stx-update
icmp icmp
udp 123 ntp
udp 161 snmp
udp 2222 service manager
udp 2223 service manager

Note

Custom rules may be added for other requirements. For more information, see : Firewall Options <security-firewall-options>.

Note

UDP ports 2222 and 2223 are used by the service manager for state synchronization and heart beating between the controllers. All messages are authenticated with a SHA512 HMAC. Only packets originating from the peer controller are permitted; all other packets are dropped.