Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.

Commit

Permalink
packet: tighten bootstrap firewall rules
Browse files Browse the repository at this point in the history 
This commit adds extra filtering for cluster-internal ports, so even if
we listen on all interfaces, those ports won't be accessible from the
internet, but only from Packet private CIDR.

Later on, Calico should further tighten those rules.

SSH port 22 stays accesible from all addresses on purpose, to allow
eventual debugging if provisioning fails.

We use 10.0.0.0/8 as this is Packet private network CIDR.

Signed-off-by: Mateusz Gozdek <mateusz@kinvolk.io>
  • Loading branch information
@invidian
invidian committed May 25, 2020
1 parent c1f7ea9 commit 257ed36
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 14 deletions.
16 changes: 9 additions & 7 deletions assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/cl/controller.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -267,10 +267,12 @@ storage:
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 179 -j ACCEPT
-A INPUT -p tcp --dport 2379 -j ACCEPT
-A INPUT -p tcp --dport 2380 -j ACCEPT
-A INPUT -p tcp --dport 2381 -j ACCEPT
# Use 10.0.0.0/8 as this is Packet private network CIDR.
# It will be closed more tightly via Calico, which rules are easy to update.
-A INPUT -s 10.0.0.0/8 -p tcp --dport 179 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p tcp --dport 2379 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p tcp --dport 2380 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p tcp --dport 2381 -j ACCEPT
-A INPUT -p tcp --dport 6443 -j ACCEPT
# With single controller node setup, the traffic from nodes to kube-apiserver may flow via either port 6443 or 7443.
# This is because --advertise-address flag of kube-apiserver defines which IP address will be added as an endpoint
Expand All @@ -287,10 +289,10 @@ storage:
#
# That's why we need both port 6443 and 7443 to be opened on controller node.
%{~ if controller_count == "1" ~}
-A INPUT -p tcp --dport 7443 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p tcp --dport 7443 -j ACCEPT
%{~ endif }
-A INPUT -p tcp --dport 10250 -j ACCEPT
-A INPUT -p tcp --dport 10256 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p tcp --dport 10250 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p tcp --dport 10256 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
- path: /var/lib/ip6tables/rules-save
Expand Down
8 changes: 5 additions & 3 deletions assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/workers/cl/worker.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,9 +316,11 @@ storage:
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 179 -j ACCEPT
-A INPUT -p tcp --dport 10250 -j ACCEPT
-A INPUT -p tcp --dport 10256 -j ACCEPT
# Use 10.0.0.0/8 as this is Packet private network CIDR.
# It will be closed more tightly via Calico, which rules are easy to update.
-A INPUT -s 10.0.0.0/8 -p tcp --dport 179 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p tcp --dport 10250 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p tcp --dport 10256 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
- path: /var/lib/ip6tables/rules-save
Expand Down
Loading

0 comments on commit 257ed36

Please sign in to comment.