diff --git a/templates/flavors/k3s/dns-loadbalancing/kustomization.yaml b/templates/flavors/k3s/dns-loadbalancing/kustomization.yaml index dcee992b1..1c889dc7f 100644 --- a/templates/flavors/k3s/dns-loadbalancing/kustomization.yaml +++ b/templates/flavors/k3s/dns-loadbalancing/kustomization.yaml @@ -20,3 +20,55 @@ patches: dnsUniqueIdentifier: ${DNS_UNIQUE_ID} dnsProvider: ${DNS_PROVIDER:-"linode"} dnsSubDomainOverride: ${DNS_SUBDOMAIN_OVERRIDE:-""} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeFirewall + patch: |- + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + spec: + inboundRules: + - action: ACCEPT + label: intra-cluster-tcp + ports: "1-65535" + protocol: "TCP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all tcp traffic within the vpc + - action: ACCEPT + label: intra-cluster-udp + ports: "1-65535" + protocol: "UDP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all udp traffic within the vpc + - action: ACCEPT + label: intra-cluster-icmp + protocol: "ICMP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all icmp traffic within the vpc + - action: ACCEPT + addresses: + ipv4: + - 0.0.0.0/0 + ipv6: + - ::/0 + ports: "${APISERVER_PORT:=6443}" + protocol: TCP + label: inbound-api-server + description: accept all api server and konnectivity related traffic from nodebalancers + - action: ACCEPT + addresses: + ipv4: + - 192.168.255.0/24 + ports: 30000-32767 + protocol: TCP + label: accept-NodeBalancer + description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range \ No newline at end of file diff --git a/templates/flavors/kubeadm/dns-loadbalancing/kustomization.yaml b/templates/flavors/kubeadm/dns-loadbalancing/kustomization.yaml index dcee992b1..e7de61030 100644 --- a/templates/flavors/kubeadm/dns-loadbalancing/kustomization.yaml +++ b/templates/flavors/kubeadm/dns-loadbalancing/kustomization.yaml @@ -20,3 +20,55 @@ patches: dnsUniqueIdentifier: ${DNS_UNIQUE_ID} dnsProvider: ${DNS_PROVIDER:-"linode"} dnsSubDomainOverride: ${DNS_SUBDOMAIN_OVERRIDE:-""} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeFirewall + patch: |- + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + spec: + inboundRules: + - action: ACCEPT + label: intra-cluster-tcp + ports: "1-65535" + protocol: "TCP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all tcp traffic within the vpc + - action: ACCEPT + label: intra-cluster-udp + ports: "1-65535" + protocol: "UDP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all udp traffic within the vpc + - action: ACCEPT + label: intra-cluster-icmp + protocol: "ICMP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all icmp traffic within the vpc + - action: ACCEPT + addresses: + ipv4: + - 0.0.0.0/0 + ipv6: + - ::/0 + ports: "${APISERVER_PORT:=6443}}" + protocol: TCP + label: inbound-api-server + description: accept all api server and konnectivity related traffic from nodebalancers + - action: ACCEPT + addresses: + ipv4: + - 192.168.255.0/24 + ports: 30000-32767 + protocol: TCP + label: accept-NodeBalancer + description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range diff --git a/templates/flavors/kubeadm/konnectivity/kustomization.yaml b/templates/flavors/kubeadm/konnectivity/kustomization.yaml index e5744c655..26d881178 100644 --- a/templates/flavors/kubeadm/konnectivity/kustomization.yaml +++ b/templates/flavors/kubeadm/konnectivity/kustomization.yaml @@ -115,3 +115,53 @@ patches: toPorts: - ports: - port: "${KONNECTIVITY_PORT:=8132}" + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeFirewall + patch: |- + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + spec: + inboundRules: + - action: ACCEPT + label: intra-cluster-tcp + ports: "1-65535" + protocol: "TCP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all tcp traffic within the vpc + - action: ACCEPT + label: intra-cluster-udp + ports: "1-65535" + protocol: "UDP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all udp traffic within the vpc + - action: ACCEPT + label: intra-cluster-icmp + protocol: "ICMP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all icmp traffic within the vpc + - action: ACCEPT + addresses: + ipv4: + - 192.168.255.0/24 + ports: "${APISERVER_PORT:=6443}, ${KONNECTIVITY_PORT:=8132}" + protocol: TCP + label: inbound-api-server + description: accept all api server and konnectivity related traffic from nodebalancers + - action: ACCEPT + addresses: + ipv4: + - 192.168.255.0/24 + ports: 30000-32767 + protocol: TCP + label: accept-NodeBalancer + description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range diff --git a/templates/flavors/rke2/dns-loadbalancing/kustomization.yaml b/templates/flavors/rke2/dns-loadbalancing/kustomization.yaml index dcee992b1..1c889dc7f 100644 --- a/templates/flavors/rke2/dns-loadbalancing/kustomization.yaml +++ b/templates/flavors/rke2/dns-loadbalancing/kustomization.yaml @@ -20,3 +20,55 @@ patches: dnsUniqueIdentifier: ${DNS_UNIQUE_ID} dnsProvider: ${DNS_PROVIDER:-"linode"} dnsSubDomainOverride: ${DNS_SUBDOMAIN_OVERRIDE:-""} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeFirewall + patch: |- + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + spec: + inboundRules: + - action: ACCEPT + label: intra-cluster-tcp + ports: "1-65535" + protocol: "TCP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all tcp traffic within the vpc + - action: ACCEPT + label: intra-cluster-udp + ports: "1-65535" + protocol: "UDP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all udp traffic within the vpc + - action: ACCEPT + label: intra-cluster-icmp + protocol: "ICMP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all icmp traffic within the vpc + - action: ACCEPT + addresses: + ipv4: + - 0.0.0.0/0 + ipv6: + - ::/0 + ports: "${APISERVER_PORT:=6443}" + protocol: TCP + label: inbound-api-server + description: accept all api server and konnectivity related traffic from nodebalancers + - action: ACCEPT + addresses: + ipv4: + - 192.168.255.0/24 + ports: 30000-32767 + protocol: TCP + label: accept-NodeBalancer + description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range \ No newline at end of file diff --git a/templates/infra/linodeFirewall.yaml b/templates/infra/linodeFirewall.yaml index 8cc92a9bd..6e8d9e8a4 100644 --- a/templates/infra/linodeFirewall.yaml +++ b/templates/infra/linodeFirewall.yaml @@ -38,7 +38,7 @@ spec: addresses: ipv4: - 192.168.255.0/24 - ports: "6443" + ports: "${APISERVER_PORT:=6443}" protocol: TCP label: inbound-api-server description: accept all api server related traffic from nodebalancers