-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add default ciliumNetworkPolicies in audit mode (#318)
* add default ciliumNetworkPolicies in audit mode
- Loading branch information
1 parent
db9eeda
commit 107a9b5
Showing
12 changed files
with
273 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
# Firewalling | ||
|
||
This guide covers how Cilium can be set up to act as a [host firewall](https://docs.cilium.io/en/latest/security/host-firewall/) on CAPL clusters. | ||
|
||
## Default Configuration | ||
By default, the following policies are set to audit mode(without any enforcement) on CAPL clusters | ||
|
||
* [Kubeadm](./flavors/default.md) cluster allow rules | ||
|
||
| Ports | Use-case | Allowed clients | | ||
|-----------|--------------------------|-----------------------| | ||
| 6443 | API Server Traffic | World | | ||
| 2379-2380 | Etcd Traffic | World | | ||
| * | In Cluster Communication | Intra Cluster Traffic | | ||
|
||
|
||
* [k3s](./flavors/k3s.md) cluster allow rules | ||
|
||
| Ports | Use-case | Allowed clients | | ||
|-------|--------------------------|-------------------------------| | ||
| 6443 | API Server Traffic | World | | ||
| * | In Cluster Communication | Intra Cluster and VPC Traffic | | ||
|
||
* [RKE2](./flavors/rke2.md) cluster allow rules | ||
|
||
| Ports | Use-case | Allowed clients | | ||
|-------|--------------------------|-------------------------------| | ||
| 6443 | API Server Traffic | World | | ||
| * | In Cluster Communication | Intra Cluster and VPC Traffic | | ||
|
||
## Enabling Firewall Enforcement | ||
In order to turn the cilium network policy from audit to enforce mode use the environment variable `FW_AUDIT_ONLY=false` | ||
when generating the cluster. This will set the [policy-audit-mode](https://docs.cilium.io/en/latest/security/policy-creation/#creating-policies-from-verdicts) | ||
on the cilium deployment | ||
|
||
## Adding Additional Rules | ||
Additional rules can be added to the `default-policy` | ||
```yaml | ||
apiVersion: "cilium.io/v2" | ||
kind: CiliumClusterwideNetworkPolicy | ||
metadata: | ||
name: "default-external-policy" | ||
spec: | ||
description: "allow cluster intra cluster traffic along api server traffic" | ||
nodeSelector: {} | ||
ingress: | ||
- fromEntities: | ||
- cluster | ||
- fromCIDR: | ||
- 10.0.0.0/8 | ||
- fromEntities: | ||
- world | ||
toPorts: | ||
- ports: | ||
- port: "22" # added for SSH Access to the nodes | ||
- port: "6443" | ||
``` | ||
Alternatively, additional rules can be added by creating a new policy | ||
```yaml | ||
apiVersion: "cilium.io/v2" | ||
kind: CiliumClusterwideNetworkPolicy | ||
metadata: | ||
name: "ssh-access-policy" | ||
spec: | ||
description: "allows ssh access to nodes" | ||
nodeSelector: {} | ||
ingress: | ||
- fromEntities: | ||
- world | ||
toPorts: | ||
- ports: | ||
- port: "22" | ||
``` |
52 changes: 52 additions & 0 deletions
52
templates/addons/cilium-network-policies/ciliumNetworkPolicies.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: ${CLUSTER_NAME}-cilium-policy | ||
data: | ||
cilium-policy.yaml: |- | ||
apiVersion: "cilium.io/v2" | ||
kind: CiliumClusterwideNetworkPolicy | ||
metadata: | ||
name: "default-cluster-policy" | ||
spec: | ||
description: "allow cluster intra cluster traffic" | ||
endpointSelector: {} | ||
ingress: | ||
- fromEntities: | ||
- cluster | ||
- fromCIDR: | ||
- 10.0.0.0/8 | ||
- 192.168.128.0/17 | ||
--- | ||
apiVersion: "cilium.io/v2" | ||
kind: CiliumClusterwideNetworkPolicy | ||
metadata: | ||
name: "default-external-policy" | ||
spec: | ||
description: "allow etcd & api server traffic" | ||
nodeSelector: {} | ||
ingress: | ||
- fromEntities: | ||
- cluster | ||
- fromCIDR: | ||
- 10.0.0.0/8 | ||
- fromEntities: | ||
- world | ||
toPorts: | ||
- ports: | ||
- port: "6443" | ||
- port: "2379" | ||
- port: "2380" | ||
--- | ||
apiVersion: addons.cluster.x-k8s.io/v1beta1 | ||
kind: ClusterResourceSet | ||
metadata: | ||
name: ${CLUSTER_NAME}-cilium-policy | ||
spec: | ||
clusterSelector: | ||
matchLabels: | ||
cluster: ${CLUSTER_NAME} | ||
resources: | ||
- kind: ConfigMap | ||
name: ${CLUSTER_NAME}-cilium-policy | ||
strategy: Reconcile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- ciliumNetworkPolicies.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: ${CLUSTER_NAME}-cilium-policy | ||
data: | ||
cilium-policy.yaml: |- | ||
apiVersion: "cilium.io/v2" | ||
kind: CiliumClusterwideNetworkPolicy | ||
metadata: | ||
name: "default-cluster-policy" | ||
spec: | ||
description: "allow cluster intra cluster traffic" | ||
endpointSelector: {} | ||
ingress: | ||
- fromEntities: | ||
- cluster | ||
- fromCIDR: | ||
- 10.0.0.0/8 | ||
- 192.168.128.0/17 | ||
--- | ||
apiVersion: "cilium.io/v2" | ||
kind: CiliumClusterwideNetworkPolicy | ||
metadata: | ||
name: "default-external-policy" | ||
spec: | ||
description: "allow etcd & api server traffic" | ||
nodeSelector: {} | ||
ingress: | ||
- fromEntities: | ||
- cluster | ||
- fromCIDR: | ||
- 10.0.0.0/8 | ||
- fromEntities: | ||
- world | ||
toPorts: | ||
- ports: | ||
- port: "6443" | ||
--- | ||
apiVersion: addons.cluster.x-k8s.io/v1beta1 | ||
kind: ClusterResourceSet | ||
metadata: | ||
name: ${CLUSTER_NAME}-cilium-policy | ||
spec: | ||
clusterSelector: | ||
matchLabels: | ||
cluster: ${CLUSTER_NAME} | ||
resources: | ||
- kind: ConfigMap | ||
name: ${CLUSTER_NAME}-cilium-policy | ||
strategy: Reconcile | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: ${CLUSTER_NAME}-cilium-policy | ||
data: | ||
cilium-policy.yaml: |- | ||
apiVersion: "cilium.io/v2" | ||
kind: CiliumClusterwideNetworkPolicy | ||
metadata: | ||
name: "default-cluster-policy" | ||
spec: | ||
description: "allow cluster intra cluster traffic" | ||
endpointSelector: {} | ||
ingress: | ||
- fromEntities: | ||
- cluster | ||
- fromCIDR: | ||
- 10.0.0.0/8 | ||
- 192.168.128.0/17 | ||
--- | ||
apiVersion: "cilium.io/v2" | ||
kind: CiliumClusterwideNetworkPolicy | ||
metadata: | ||
name: "default-external-policy" | ||
spec: | ||
description: "allow etcd & api server traffic" | ||
nodeSelector: {} | ||
ingress: | ||
- fromEntities: | ||
- cluster | ||
- fromCIDR: | ||
- 10.0.0.0/8 | ||
- fromEntities: | ||
- world | ||
toPorts: | ||
- ports: | ||
- port: "6443" | ||
--- | ||
apiVersion: addons.cluster.x-k8s.io/v1beta1 | ||
kind: ClusterResourceSet | ||
metadata: | ||
name: ${CLUSTER_NAME}-cilium-policy | ||
spec: | ||
clusterSelector: | ||
matchLabels: | ||
cluster: ${CLUSTER_NAME} | ||
resources: | ||
- kind: ConfigMap | ||
name: ${CLUSTER_NAME}-cilium-policy | ||
strategy: Reconcile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.