5579744656
Acted on Greg's comments Patch 1: Deleted duplicated docs and corrected references to fix build failure Patch 2: Acted on Greg's and Ron's comments. Patch 3: Acted on Greg's comment. Patch 4: Acted on Mary's comments. Patch 5: Solved merge conflict. Patch 6: Worked on Mary's comments. Patch 7: Fixed build conflict. Patch 8: Worked on Mary's comments. https://review.opendev.org/c/starlingx/docs/+/792461 Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4
106 lines
2.9 KiB
ReStructuredText
106 lines
2.9 KiB
ReStructuredText
|
|
.. zlk1582057887959
|
|
.. _security-firewall-options:
|
|
|
|
=======================
|
|
Modify Firewall Options
|
|
=======================
|
|
|
|
|prod| incorporates a default firewall for the |OAM| network. You can configure
|
|
additional Kubernetes Network Policies in order to augment or override the
|
|
default rules.
|
|
|
|
The |prod| firewall uses the Kubernetes Network Policies \(using the Calico
|
|
|CNI|\) to implement a firewall on the |OAM| network.
|
|
|
|
A minimal set of rules is always applied before any custom rules, as follows:
|
|
|
|
|
|
.. _security-firewall-options-ul-xw2-qkw-g3b:
|
|
|
|
- Non-|OAM| traffic is always accepted.
|
|
|
|
- Egress traffic is always accepted.
|
|
|
|
- |SM| traffic is always accepted.
|
|
|
|
- |SSH| traffic is always accepted.
|
|
|
|
|
|
You can introduce custom rules by creating and installing custom Kubernetes
|
|
Network Policies.
|
|
|
|
The following example opens up default HTTPS port 443.
|
|
|
|
.. code-block:: none
|
|
|
|
% cat <<EOF > gnp-oam-overrides.yaml
|
|
apiVersion: crd.projectcalico.org/v1
|
|
kind: GlobalNetworkPolicy
|
|
metadata:
|
|
name: gnp-oam-overrides
|
|
spec:
|
|
ingress:
|
|
- action: Allow
|
|
destination:
|
|
ports:
|
|
- 443
|
|
protocol: TCP
|
|
order: 500
|
|
selector: has(iftype) && iftype == 'oam'
|
|
types:
|
|
- Ingress
|
|
EOF
|
|
|
|
It can be applied using the :command:`kubectl` apply command. For example:
|
|
|
|
.. code-block:: none
|
|
|
|
$ kubectl apply -f gnp-oam-overrides.yaml
|
|
|
|
You can confirm the policy was applied properly using the :command:`kubectl`
|
|
describe command. For example:
|
|
|
|
.. code-block:: none
|
|
|
|
$ kubectl describe globalnetworkpolicy gnp-oam-overrides
|
|
Name: gnp-oam-overrides
|
|
Namespace:
|
|
Labels: <none>
|
|
Annotations: kubectl.kubernetes.io/last-applied-configuration:
|
|
{"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"gnp-openstack-oam"},"spec...
|
|
API Version: crd.projectcalico.org/v1
|
|
Kind: GlobalNetworkPolicy
|
|
Metadata:
|
|
Creation Timestamp: 2019-05-16T13:07:45Z
|
|
Generation: 1
|
|
Resource Version: 296298
|
|
Self Link: /apis/crd.projectcalico.org/v1/globalnetworkpolicies/gnp-openstack-oam
|
|
UID: 98a324ab-77db-11e9-9f9f-a4bf010007e9
|
|
Spec:
|
|
Ingress:
|
|
Action: Allow
|
|
Destination:
|
|
Ports:
|
|
443
|
|
Protocol: TCP
|
|
Order: 500
|
|
Selector: has(iftype) && iftype == 'oam'
|
|
Types:
|
|
Ingress
|
|
Events: <none>
|
|
|
|
.. xbooklink
|
|
|
|
For information about yaml rule syntax, see |sysconf-doc|: :ref:`Modifying OAM Firewall Rules <modifying-oam-firewall-rules>`.
|
|
|
|
For the default rules used by |prod| see |sec-doc|: :ref:`Default Firewall
|
|
Rules <security-default-firewall-rules>`.
|
|
|
|
For a full description of GNP syntax, see
|
|
`https://docs.projectcalico.org/v3.6/reference/calicoctl/resources/globalnetwo
|
|
rkpolicy
|
|
<https://docs.projectcalico.org/v3.6/reference/calicoctl/resources/globalnetwo
|
|
rkpolicy>`__.
|
|
|