diff --git a/templates/flavors/k3s/full-vpcless/kustomization.yaml b/templates/flavors/k3s/full-vpcless/kustomization.yaml index c7610c58a..3f511cb93 100644 --- a/templates/flavors/k3s/full-vpcless/kustomization.yaml +++ b/templates/flavors/k3s/full-vpcless/kustomization.yaml @@ -163,3 +163,18 @@ patches: - sed -i '/swap/d' /etc/fstab - swapoff -a - hostnamectl set-hostname '{{ ds.meta_data.label }}' && hostname -F /etc/hostname + - target: + kind: LinodeFirewall + patch: |- + $patch: delete + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeMachineTemplate + patch: |- + - op: remove + path: /spec/template/spec/firewallRef diff --git a/templates/flavors/k3s/vpcless/kustomization.yaml b/templates/flavors/k3s/vpcless/kustomization.yaml index e3b7d9162..a25f6d126 100644 --- a/templates/flavors/k3s/vpcless/kustomization.yaml +++ b/templates/flavors/k3s/vpcless/kustomization.yaml @@ -100,3 +100,18 @@ patches: enabled: true ui: enabled: true + - target: + kind: LinodeFirewall + patch: |- + $patch: delete + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeMachineTemplate + patch: |- + - op: remove + path: /spec/template/spec/firewallRef diff --git a/templates/flavors/kubeadm/full-vpcless/kustomization.yaml b/templates/flavors/kubeadm/full-vpcless/kustomization.yaml index 743ea222f..3cf8c0523 100644 --- a/templates/flavors/kubeadm/full-vpcless/kustomization.yaml +++ b/templates/flavors/kubeadm/full-vpcless/kustomization.yaml @@ -190,3 +190,18 @@ patches: maxRetry: 5 retryPeriod: 2m minHealthyPeriod: 2h + - target: + kind: LinodeFirewall + patch: |- + $patch: delete + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeMachineTemplate + patch: |- + - op: remove + path: /spec/template/spec/firewallRef diff --git a/templates/flavors/kubeadm/vpcless/kustomization.yaml b/templates/flavors/kubeadm/vpcless/kustomization.yaml index a7d3cce0b..e94c95497 100644 --- a/templates/flavors/kubeadm/vpcless/kustomization.yaml +++ b/templates/flavors/kubeadm/vpcless/kustomization.yaml @@ -117,3 +117,18 @@ patches: patch: |- - op: remove path: /spec/kubeadmConfigSpec/initConfiguration/skipPhases + - target: + kind: LinodeFirewall + patch: |- + $patch: delete + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeMachineTemplate + patch: |- + - op: remove + path: /spec/template/spec/firewallRef diff --git a/templates/flavors/rke2/full-vpcless/kustomization.yaml b/templates/flavors/rke2/full-vpcless/kustomization.yaml index fa5fd1a5e..e3e2159a7 100644 --- a/templates/flavors/rke2/full-vpcless/kustomization.yaml +++ b/templates/flavors/rke2/full-vpcless/kustomization.yaml @@ -71,3 +71,11 @@ patches: device: /dev/sdc mounts: - ["/dev/sdc", "/var/lib/etcd_data"] + - target: + kind: LinodeFirewall + patch: |- + $patch: delete + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} diff --git a/templates/flavors/rke2/vpcless/kustomization.yaml b/templates/flavors/rke2/vpcless/kustomization.yaml index 213f1d3cf..669a391bb 100644 --- a/templates/flavors/rke2/vpcless/kustomization.yaml +++ b/templates/flavors/rke2/vpcless/kustomization.yaml @@ -90,3 +90,18 @@ patches: - sed -i '/swap/d' /etc/fstab - swapoff -a - hostnamectl set-hostname '{{ ds.meta_data.label }}' && hostname -F /etc/hostname + - target: + kind: LinodeFirewall + patch: |- + $patch: delete + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + metadata: + name: ${CLUSTER_NAME} + - target: + group: infrastructure.cluster.x-k8s.io + version: v1alpha2 + kind: LinodeMachineTemplate + patch: |- + - op: remove + path: /spec/template/spec/firewallRef diff --git a/templates/infra/kustomization.yaml b/templates/infra/kustomization.yaml index 257e0bd01..7eb15ae66 100644 --- a/templates/infra/kustomization.yaml +++ b/templates/infra/kustomization.yaml @@ -7,3 +7,4 @@ resources: - linodeMachineTemplate.yaml - machineDeployment.yaml - secret.yaml + - linodeFirewall.yaml diff --git a/templates/infra/linodeFirewall.yaml b/templates/infra/linodeFirewall.yaml new file mode 100644 index 000000000..3d39a2b2d --- /dev/null +++ b/templates/infra/linodeFirewall.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 +kind: LinodeFirewall +metadata: + labels: + cluster.x-k8s.io/cluster-name: ${CLUSTER_NAME} + name: ${CLUSTER_NAME} +spec: + enabled: ${LINODE_FIREWALL_ENABLED:=false} + inboundPolicy: DROP + inboundRules: + - action: ACCEPT + label: intra-cluster + ports: "1-65535" + protocol: "TCP" + addresses: + ipv4: + - "10.0.0.0/8" + - action: ACCEPT + addresses: + ipv4: + - 0.0.0.0/0 + ipv6: + - ::/0 + ports: "6443" + protocol: TCP + label: inbound-api-server diff --git a/templates/infra/linodeMachineTemplate.yaml b/templates/infra/linodeMachineTemplate.yaml index 38b9cd634..586c37293 100644 --- a/templates/infra/linodeMachineTemplate.yaml +++ b/templates/infra/linodeMachineTemplate.yaml @@ -9,6 +9,10 @@ spec: image: ${LINODE_OS:="linode/ubuntu22.04"} type: ${LINODE_CONTROL_PLANE_MACHINE_TYPE} region: ${LINODE_REGION} + firewallRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + name: ${CLUSTER_NAME} # diskEncryption: disabled interfaces: - purpose: public @@ -26,6 +30,10 @@ spec: image: ${LINODE_OS:="linode/ubuntu22.04"} type: ${LINODE_MACHINE_TYPE} region: ${LINODE_REGION} + firewallRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2 + kind: LinodeFirewall + name: ${CLUSTER_NAME} # diskEncryption: disabled interfaces: - purpose: public