From ef867c87b806610da52131ca037ad896612ad388 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Wed, 29 May 2024 10:40:00 +0200 Subject: [PATCH] daemon: firewall pods This introduces a new tc rule that blocks traffic from outside the cluster targeting pod IPs directly. It requires an adjustment of the BPF filter priority to above 32, which is expected to be set by the Constellation Helm installer. --- .../templates/cilium-agent/daemonset.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml index c927ff58657144..ab4587bfbda43f 100644 --- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml +++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml @@ -740,6 +740,37 @@ spec: - name: cni-path mountPath: /host/opt/cni/bin {{- end }} # .Values.cni.install + - name: firewall-pods + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -exc + - | + pref=32 + interface=$(ip route | awk '/^default/ { print $5 }') + tc qdisc add dev "${interface}" clsact || true + tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true + handle=0 + for cidr in ${POD_CIDRS}; do + handle=$((handle + 1)) + tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop + done + env: + - name: POD_CIDRS + valueFrom: + configMapKeyRef: + key: encryption-strict-mode-pod-cidrs + name: cilium-config + optional: true + resources: + requests: + cpu: 100m + memory: 20Mi + securityContext: + capabilities: + add: + - NET_ADMIN restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}