Skip to content

Commit

Permalink
add custom firewall rules for konnectivity and dns based loadbalancin…
Browse files Browse the repository at this point in the history
…g flavors
  • Loading branch information
eljohnson92 committed Oct 3, 2024
1 parent c3f0c1a commit 6c38146
Show file tree
Hide file tree
Showing 5 changed files with 207 additions and 1 deletion.
52 changes: 52 additions & 0 deletions templates/flavors/k3s/dns-loadbalancing/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,55 @@ patches:
dnsUniqueIdentifier: ${DNS_UNIQUE_ID}
dnsProvider: ${DNS_PROVIDER:-"linode"}
dnsSubDomainOverride: ${DNS_SUBDOMAIN_OVERRIDE:-""}
- target:
group: infrastructure.cluster.x-k8s.io
version: v1alpha2
kind: LinodeFirewall
patch: |-
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: LinodeFirewall
metadata:
name: ${CLUSTER_NAME}
spec:
inboundRules:
- action: ACCEPT
label: intra-cluster-tcp
ports: "1-65535"
protocol: "TCP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all tcp traffic within the vpc
- action: ACCEPT
label: intra-cluster-udp
ports: "1-65535"
protocol: "UDP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all udp traffic within the vpc
- action: ACCEPT
label: intra-cluster-icmp
protocol: "ICMP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all icmp traffic within the vpc
- action: ACCEPT
addresses:
ipv4:
- 0.0.0.0/0
ipv6:
- ::/0
ports: "${APISERVER_PORT:=6443}"
protocol: TCP
label: inbound-api-server
description: accept all api server and konnectivity related traffic from nodebalancers
- action: ACCEPT
addresses:
ipv4:
- 192.168.255.0/24
ports: 30000-32767
protocol: TCP
label: accept-NodeBalancer
description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range
52 changes: 52 additions & 0 deletions templates/flavors/kubeadm/dns-loadbalancing/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,55 @@ patches:
dnsUniqueIdentifier: ${DNS_UNIQUE_ID}
dnsProvider: ${DNS_PROVIDER:-"linode"}
dnsSubDomainOverride: ${DNS_SUBDOMAIN_OVERRIDE:-""}
- target:
group: infrastructure.cluster.x-k8s.io
version: v1alpha2
kind: LinodeFirewall
patch: |-
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: LinodeFirewall
metadata:
name: ${CLUSTER_NAME}
spec:
inboundRules:
- action: ACCEPT
label: intra-cluster-tcp
ports: "1-65535"
protocol: "TCP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all tcp traffic within the vpc
- action: ACCEPT
label: intra-cluster-udp
ports: "1-65535"
protocol: "UDP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all udp traffic within the vpc
- action: ACCEPT
label: intra-cluster-icmp
protocol: "ICMP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all icmp traffic within the vpc
- action: ACCEPT
addresses:
ipv4:
- 0.0.0.0/0
ipv6:
- ::/0
ports: "${APISERVER_PORT:=6443}}"
protocol: TCP
label: inbound-api-server
description: accept all api server and konnectivity related traffic from nodebalancers
- action: ACCEPT
addresses:
ipv4:
- 192.168.255.0/24
ports: 30000-32767
protocol: TCP
label: accept-NodeBalancer
description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range
50 changes: 50 additions & 0 deletions templates/flavors/kubeadm/konnectivity/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -115,3 +115,53 @@ patches:
toPorts:
- ports:
- port: "${KONNECTIVITY_PORT:=8132}"
- target:
group: infrastructure.cluster.x-k8s.io
version: v1alpha2
kind: LinodeFirewall
patch: |-
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: LinodeFirewall
metadata:
name: ${CLUSTER_NAME}
spec:
inboundRules:
- action: ACCEPT
label: intra-cluster-tcp
ports: "1-65535"
protocol: "TCP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all tcp traffic within the vpc
- action: ACCEPT
label: intra-cluster-udp
ports: "1-65535"
protocol: "UDP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all udp traffic within the vpc
- action: ACCEPT
label: intra-cluster-icmp
protocol: "ICMP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all icmp traffic within the vpc
- action: ACCEPT
addresses:
ipv4:
- 192.168.255.0/24
ports: "${APISERVER_PORT:=6443}, ${KONNECTIVITY_PORT:=8132}"
protocol: TCP
label: inbound-api-server
description: accept all api server and konnectivity related traffic from nodebalancers
- action: ACCEPT
addresses:
ipv4:
- 192.168.255.0/24
ports: 30000-32767
protocol: TCP
label: accept-NodeBalancer
description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range
52 changes: 52 additions & 0 deletions templates/flavors/rke2/dns-loadbalancing/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,55 @@ patches:
dnsUniqueIdentifier: ${DNS_UNIQUE_ID}
dnsProvider: ${DNS_PROVIDER:-"linode"}
dnsSubDomainOverride: ${DNS_SUBDOMAIN_OVERRIDE:-""}
- target:
group: infrastructure.cluster.x-k8s.io
version: v1alpha2
kind: LinodeFirewall
patch: |-
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: LinodeFirewall
metadata:
name: ${CLUSTER_NAME}
spec:
inboundRules:
- action: ACCEPT
label: intra-cluster-tcp
ports: "1-65535"
protocol: "TCP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all tcp traffic within the vpc
- action: ACCEPT
label: intra-cluster-udp
ports: "1-65535"
protocol: "UDP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all udp traffic within the vpc
- action: ACCEPT
label: intra-cluster-icmp
protocol: "ICMP"
addresses:
ipv4:
- "10.0.0.0/8"
description: accept all icmp traffic within the vpc
- action: ACCEPT
addresses:
ipv4:
- 0.0.0.0/0
ipv6:
- ::/0
ports: "${APISERVER_PORT:=6443}"
protocol: TCP
label: inbound-api-server
description: accept all api server and konnectivity related traffic from nodebalancers
- action: ACCEPT
addresses:
ipv4:
- 192.168.255.0/24
ports: 30000-32767
protocol: TCP
label: accept-NodeBalancer
description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range
2 changes: 1 addition & 1 deletion templates/infra/linodeFirewall.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ spec:
addresses:
ipv4:
- 192.168.255.0/24
ports: "6443"
ports: "${APISERVER_PORT:=6443}"
protocol: TCP
label: inbound-api-server
description: accept all api server related traffic from nodebalancers
Expand Down

0 comments on commit 6c38146

Please sign in to comment.