Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow specifying an initial firewall ruleset. #64

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Allow specifying an initial firewall ruleset. #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2af62fd
Allow specifying an initial firewall ruleset.
Gerrit91 Nov 21, 2024
cce6694
feat: ingress and egress parsing and crds
vknabel Nov 21, 2024
d336245
fix(lint): false positive recvcheck
vknabel Nov 21, 2024
b42f119
docs: promoted cidrs
vknabel Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions api/v2/types_firewall.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ type FirewallSpec struct {
// EgressRules contains egress rules configured for this firewall.
EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"`

// InitialRuleSet is the initial firewall ruleset applied before the firewall-controller starts running.
InitialRuleSet *InitialRuleSet `json:"initialRuleSet,omitempty"`

// Interval on which rule reconciliation by the firewall-controller should happen.
Interval string `json:"interval,omitempty"`
// DryRun if set to true, firewall rules are not applied. For devel-purposes only.
Expand Down Expand Up @@ -122,6 +125,46 @@ type FirewallTemplateSpec struct {
Spec FirewallSpec `json:"spec,omitempty"`
}

// InitialRuleSet is the initial rule set deployed on the firewall.
type InitialRuleSet struct {
// Egress rules to be deployed initially on the firewall.
Egress []EgressRule `json:"egress,omitempty"`
// Ingress rules to be deployed initially on the firewall.
Ingress []IngressRule `json:"ingress,omitempty"`
}

// NetworkProtocol represents the kind of network protocol.
type NetworkProtocol string

const (
// NetworkProtocolTCP represents tcp connections.
NetworkProtocolTCP = "TCP"
// NetworkProtocolUDP represents udp connections.
NetworkProtocolUDP = "UDP"
)

type EgressRule struct {
// Comment provides a human readable description of this rule.
Comment string `json:"comment,omitempty"`
// Ports contains all affected network ports.
Ports []int32 `json:"ports"`
// Protocol constraints the protocol this rule applies to.
Protocol NetworkProtocol `json:"protocol"`
// To source address cidrs this rule applies to.
To []string `json:"to"`
}

type IngressRule struct {
// Comment provides a human readable description of this rule.
Comment string `json:"comment,omitempty"`
// Ports contains all affected network ports.
Ports []int32 `json:"ports"`
// Protocol constraints the protocol this rule applies to.
Protocol NetworkProtocol `json:"protocol"`
// From source address cidrs this rule applies to.
From []string `json:"from"`
}

// EgressRuleSNAT holds a Source-NAT rule
type EgressRuleSNAT struct {
// NetworkID is the network for which the egress rule will be configured.
Expand Down
1 change: 1 addition & 0 deletions api/v2/types_utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ const (
ConditionUnknown ConditionStatus = "Unknown"
)

//nolint:recvcheck
type Conditions []Condition

// NewCondition creates a new condition.
Expand Down
84 changes: 84 additions & 0 deletions api/v2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

69 changes: 69 additions & 0 deletions config/crds/firewall.metal-stack.io_firewalldeployments.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,75 @@ spec:
Image is the os image of the firewall.
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
type: string
initialRuleSet:
description: InitialRuleSet is the initial firewall ruleset
applied before the firewall-controller starts running.
properties:
egress:
description: Egress rules to be deployed initially on
the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
ports:
description: Ports contains all affected network
ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this
rule applies to.
type: string
to:
description: To target addresses this rule applies
to. May contain IPs or dns names.
items:
type: string
type: array
required:
- ports
- protocol
- to
type: object
type: array
ingress:
description: Ingress rules to be deployed initially on
the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
from:
description: From source addresses this rule applies
to. May contain IPs or dns names.
items:
type: string
type: array
ports:
description: Ports contains all affected network
ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this
rule applies to.
type: string
required:
- from
- ports
- protocol
type: object
type: array
type: object
internalPrefixes:
description: |-
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.
Expand Down
65 changes: 65 additions & 0 deletions config/crds/firewall.metal-stack.io_firewalls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,71 @@ spec:
Image is the os image of the firewall.
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
type: string
initialRuleSet:
description: InitialRuleSet is the initial firewall ruleset applied
before the firewall-controller starts running.
properties:
egress:
description: Egress rules to be deployed initially on the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
ports:
description: Ports contains all affected network ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this rule
applies to.
type: string
to:
description: To target addresses this rule applies to. May
contain IPs or dns names.
items:
type: string
type: array
required:
- ports
- protocol
- to
type: object
type: array
ingress:
description: Ingress rules to be deployed initially on the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
from:
description: From source addresses this rule applies to.
May contain IPs or dns names.
items:
type: string
type: array
ports:
description: Ports contains all affected network ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this rule
applies to.
type: string
required:
- from
- ports
- protocol
type: object
type: array
type: object
internalPrefixes:
description: |-
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.
Expand Down
69 changes: 69 additions & 0 deletions config/crds/firewall.metal-stack.io_firewallsets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,75 @@ spec:
Image is the os image of the firewall.
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
type: string
initialRuleSet:
description: InitialRuleSet is the initial firewall ruleset
applied before the firewall-controller starts running.
properties:
egress:
description: Egress rules to be deployed initially on
the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
ports:
description: Ports contains all affected network
ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this
rule applies to.
type: string
to:
description: To target addresses this rule applies
to. May contain IPs or dns names.
items:
type: string
type: array
required:
- ports
- protocol
- to
type: object
type: array
ingress:
description: Ingress rules to be deployed initially on
the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
from:
description: From source addresses this rule applies
to. May contain IPs or dns names.
items:
type: string
type: array
ports:
description: Ports contains all affected network
ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this
rule applies to.
type: string
required:
- from
- ports
- protocol
type: object
type: array
type: object
internalPrefixes:
description: |-
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.
Expand Down
Loading