From 6c38146b45e18d624a8c9b99b3b487375a86a5e6 Mon Sep 17 00:00:00 2001 From: Evan Johnson Date: Thu, 3 Oct 2024 15:07:00 -0400 Subject: [PATCH] add custom firewall rules for konnectivity and dns based loadbalancing flavors --- .../k3s/dns-loadbalancing/kustomization.yaml | 52 +++++++++++++++++++ .../dns-loadbalancing/kustomization.yaml | 52 +++++++++++++++++++ .../kubeadm/konnectivity/kustomization.yaml | 50 ++++++++++++++++++ .../rke2/dns-loadbalancing/kustomization.yaml | 52 +++++++++++++++++++ templates/infra/linodeFirewall.yaml | 2 +- 5 files changed, 207 insertions(+), 1 deletion(-) diff --git a/templates/flavors/k3s/dns-loadbalancing/kustomization.yaml b/templates/flavors/k3s/dns-loadbalancing/kustomization.yaml index dcee992b1..1c889dc7f 100644 --- a/templates/flavors/k3s/dns-loadbalancing/kustomization.yaml +++ b/templates/flavors/k3s/dns-loadbalancing/kustomization.yaml @@ -20,3 +20,55 @@ patches: dnsUniqueIdentifier: ${DNS_UNIQUE_ID} dnsProvider: ${DNS_PROVIDER:-"linode"} dnsSubDomainOverride: ${DNS_SUBDOMAIN_OVERRIDE:-""} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeFirewall + patch: |- + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + spec: + inboundRules: + - action: ACCEPT + label: intra-cluster-tcp + ports: "1-65535" + protocol: "TCP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all tcp traffic within the vpc + - action: ACCEPT + label: intra-cluster-udp + ports: "1-65535" + protocol: "UDP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all udp traffic within the vpc + - action: ACCEPT + label: intra-cluster-icmp + protocol: "ICMP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all icmp traffic within the vpc + - action: ACCEPT + addresses: + ipv4: + - 0.0.0.0/0 + ipv6: + - ::/0 + ports: "${APISERVER_PORT:=6443}" + protocol: TCP + label: inbound-api-server + description: accept all api server and konnectivity related traffic from nodebalancers + - action: ACCEPT + addresses: + ipv4: + - 192.168.255.0/24 + ports: 30000-32767 + protocol: TCP + label: accept-NodeBalancer + description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range \ No newline at end of file diff --git a/templates/flavors/kubeadm/dns-loadbalancing/kustomization.yaml b/templates/flavors/kubeadm/dns-loadbalancing/kustomization.yaml index dcee992b1..e7de61030 100644 --- a/templates/flavors/kubeadm/dns-loadbalancing/kustomization.yaml +++ b/templates/flavors/kubeadm/dns-loadbalancing/kustomization.yaml @@ -20,3 +20,55 @@ patches: dnsUniqueIdentifier: ${DNS_UNIQUE_ID} dnsProvider: ${DNS_PROVIDER:-"linode"} dnsSubDomainOverride: ${DNS_SUBDOMAIN_OVERRIDE:-""} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeFirewall + patch: |- + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + spec: + inboundRules: + - action: ACCEPT + label: intra-cluster-tcp + ports: "1-65535" + protocol: "TCP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all tcp traffic within the vpc + - action: ACCEPT + label: intra-cluster-udp + ports: "1-65535" + protocol: "UDP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all udp traffic within the vpc + - action: ACCEPT + label: intra-cluster-icmp + protocol: "ICMP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all icmp traffic within the vpc + - action: ACCEPT + addresses: + ipv4: + - 0.0.0.0/0 + ipv6: + - ::/0 + ports: "${APISERVER_PORT:=6443}}" + protocol: TCP + label: inbound-api-server + description: accept all api server and konnectivity related traffic from nodebalancers + - action: ACCEPT + addresses: + ipv4: + - 192.168.255.0/24 + ports: 30000-32767 + protocol: TCP + label: accept-NodeBalancer + description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range diff --git a/templates/flavors/kubeadm/konnectivity/kustomization.yaml b/templates/flavors/kubeadm/konnectivity/kustomization.yaml index e5744c655..26d881178 100644 --- a/templates/flavors/kubeadm/konnectivity/kustomization.yaml +++ b/templates/flavors/kubeadm/konnectivity/kustomization.yaml @@ -115,3 +115,53 @@ patches: toPorts: - ports: - port: "${KONNECTIVITY_PORT:=8132}" + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeFirewall + patch: |- + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + spec: + inboundRules: + - action: ACCEPT + label: intra-cluster-tcp + ports: "1-65535" + protocol: "TCP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all tcp traffic within the vpc + - action: ACCEPT + label: intra-cluster-udp + ports: "1-65535" + protocol: "UDP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all udp traffic within the vpc + - action: ACCEPT + label: intra-cluster-icmp + protocol: "ICMP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all icmp traffic within the vpc + - action: ACCEPT + addresses: + ipv4: + - 192.168.255.0/24 + ports: "${APISERVER_PORT:=6443}, ${KONNECTIVITY_PORT:=8132}" + protocol: TCP + label: inbound-api-server + description: accept all api server and konnectivity related traffic from nodebalancers + - action: ACCEPT + addresses: + ipv4: + - 192.168.255.0/24 + ports: 30000-32767 + protocol: TCP + label: accept-NodeBalancer + description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range diff --git a/templates/flavors/rke2/dns-loadbalancing/kustomization.yaml b/templates/flavors/rke2/dns-loadbalancing/kustomization.yaml index dcee992b1..1c889dc7f 100644 --- a/templates/flavors/rke2/dns-loadbalancing/kustomization.yaml +++ b/templates/flavors/rke2/dns-loadbalancing/kustomization.yaml @@ -20,3 +20,55 @@ patches: dnsUniqueIdentifier: ${DNS_UNIQUE_ID} dnsProvider: ${DNS_PROVIDER:-"linode"} dnsSubDomainOverride: ${DNS_SUBDOMAIN_OVERRIDE:-""} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeFirewall + patch: |- + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + spec: + inboundRules: + - action: ACCEPT + label: intra-cluster-tcp + ports: "1-65535" + protocol: "TCP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all tcp traffic within the vpc + - action: ACCEPT + label: intra-cluster-udp + ports: "1-65535" + protocol: "UDP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all udp traffic within the vpc + - action: ACCEPT + label: intra-cluster-icmp + protocol: "ICMP" + addresses: + ipv4: + - "10.0.0.0/8" + description: accept all icmp traffic within the vpc + - action: ACCEPT + addresses: + ipv4: + - 0.0.0.0/0 + ipv6: + - ::/0 + ports: "${APISERVER_PORT:=6443}" + protocol: TCP + label: inbound-api-server + description: accept all api server and konnectivity related traffic from nodebalancers + - action: ACCEPT + addresses: + ipv4: + - 192.168.255.0/24 + ports: 30000-32767 + protocol: TCP + label: accept-NodeBalancer + description: accept traffic from the entire NodeBalancer CIDR to the NodePort service range \ No newline at end of file diff --git a/templates/infra/linodeFirewall.yaml b/templates/infra/linodeFirewall.yaml index 8cc92a9bd..6e8d9e8a4 100644 --- a/templates/infra/linodeFirewall.yaml +++ b/templates/infra/linodeFirewall.yaml @@ -38,7 +38,7 @@ spec: addresses: ipv4: - 192.168.255.0/24 - ports: "6443" + ports: "${APISERVER_PORT:=6443}" protocol: TCP label: inbound-api-server description: accept all api server related traffic from nodebalancers