metal-stack · majst01 · Jun 19, 2020 · Jun 19, 2020 · Jun 19, 2020 · Jun 20, 2020
@@ -20,16 +20,13 @@ make test
 
 ```bash
 # start kind cluster
-kind create cluster
-
-# deploy manifests
-k apply -f deploy
-
-# start the controller
-bin/firewall-controller --hosts-file ./hosts
+make start
 
 # watch results
 k describe -n firewall firewall
-cat nftables.v4
-cat hosts
-```
+
+# see evebox
+k port-forward -n firewall svc/evebox-server-service 8080:80
+
+point your browser to http://localhost:8080
+```
@@ -77,6 +77,7 @@ vet:
 # Generate code
 generate: controller-gen statik manifests
 	$(STATIK) -src=pkg/nftables -include='*.tpl' -dest=pkg/nftables -ns tpl
+	$(STATIK) -src=pkg/evebox -include='*.tpl' -dest=pkg/evebox -ns tpl
 	$(STATIK) -src=config/crd/bases -ns crd
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
@@ -88,6 +89,30 @@ docker-build:
 docker-push:
 	docker push ${DOCKER_IMG}
 
+KUBECONFIG := $(shell pwd)/.kubeconfig
+
+.PHONY: start
+start: kind-cluster-create
+	kind --name firewall-controller load docker-image metalstack/firewall-controller:latest
+	kubectl --kubeconfig $(KUBECONFIG) delete -f "deploy/firewall-controller.yaml" || true # for idempotence
+	kubectl --kubeconfig $(KUBECONFIG) apply -f "deploy/firewall-controller.yaml"
+	kubectl --kubeconfig $(KUBECONFIG) apply -f "deploy/firewall.yaml"
+	# tailing
+	stern --kubeconfig $(KUBECONFIG) '.*'
+
+.PHONY: kind-cluster-create
+kind-cluster-create: docker-build
+	@if ! which kind > /dev/null; then echo "kind needs to be installed"; exit 1; fi
+	@if ! kind get clusters | grep firewall-controller > /dev/null; then \
+		kind create cluster \
+		--name firewall-controller \
+		--kubeconfig $(KUBECONFIG); fi
+
+.PHONY: cleanup
+cleanup:
+	kind delete cluster --name firewall-controller
+	rm -f $(KUBECONFIG)
+
 # find or download controller-gen
 # download controller-gen if necessary
 .PHONY: controller-gen

@@ -23,6 +23,10 @@ metadata:
   namespace: firewall
   name: firewall
 spec:
+  # clusterid should be set from the gardener-extension-provider-metal
+  clusterid: "<uuid of the k8s cluster>"
+  # projectid this cluster belongs to, should be set from the gardener-extension-provider-metal
+  projectid: "<uuid of the project"
   # Interval of reconcilation if nftables rules and network traffic accounting
   interval: 10s
   # Ratelimits specify on which physical interface, which maximum rate of traffic is allowed
@@ -37,6 +41,28 @@ spec:
   - "1.2.3.0/24
   - "172.17.0.0/16"
   - "10.0.0.0/8"
+  # ids is optional, if not given ids events are not forwarded
+  ids:
+    # serverurl specifies the ids event sink url
+    serverurl: https://ids.foo.bar
+    # basicauthenabled must be set to true if event sink requires username and password
+    # if set to true a secret in the firewall namespace with the name "ids" in the firewall namespace must be present
+    # it must also contain a username and password data object
+    basicauthenabled: true
+```
+
+IDS Secret
+
+```yaml
+---apiVersion: v1
+kind: Secret
+metadata:
+  name: ids
+  namespace: firewall
+type: Opaque
+data:
+  username: <base64 encoded username>
+  password: <base64 encoded password>
 ```
 
 Example ClusterwideNetworkPolicy:
@@ -59,6 +85,15 @@ spec:
       port: 53
     - protocol: TCP
       port: 53
+  ingress:
+  - from:
+    - cidr: 1.1.0.0/24
+      except:
+      - 1.1.1.0/16
+    - cidr: 8.8.8.8/32
+    ports:
+    - protocol: TCP
+      port: 8443
 ```
 
 ## Status

@@ -28,6 +28,7 @@ import (
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Interval",type=string,JSONPath=`.spec.interval`
 // +kubebuilder:printcolumn:name="InternalPrefixes",type=string,JSONPath=`.spec.internalprefixes`
+// +kubebuilder:printcolumn:name="IDS",type=string,JSONPath=`.spec.ids.serverurl`
 type Firewall struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -57,6 +58,13 @@ type FirewallSpec struct {
 	// InternalPrefixes specify prefixes which are considered local to the partition or all regions.
 	// Traffic to/from these prefixes is accounted as internal traffic
 	InternalPrefixes []string `json:"internalprefixes,omitempty"`
+	// IDS configuration
+	// +optional
+	IDS *IDS `json:"ids,omitempty"`
+	// ClusterID the uuid of the cluster
+	ClusterID string `json:"clusterid,omitempty"`
+	// ProjectID the uuid of the project this cluster belongs to
+	ProjectID string `json:"projectid,omitempty"`
 }
 
 // FirewallStatus defines the observed state of Firewall
@@ -117,6 +125,16 @@ type InterfaceStat struct {
 	Packets          int `json:"packets"`
 }
 
+// IDS configures the intrusion detection
+type IDS struct {
+	// ServerURL the url where the IDS
+	ServerURL string `json:"serverurl,omitempty"`
+	// BasicAuthEnabled must be set to true if event sink requires username and password
+	// if set to true a secret in the firewall namespace with the name "ids" in the firewall namespace must be present
+	// it must also contain a username and password data object
+	BasicAuthEnabled bool `json:"basicauthenabled"`
+}
+
 func init() {
 	SchemeBuilder.Register(&Firewall{}, &FirewallList{})
 }
@@ -1,20 +1,21 @@
-<mxfile host="" modified="2020-06-17T13:01:47.021Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Code/1.46.0 Chrome/78.0.3904.130 Electron/7.3.1 Safari/537.36" etag="IZGaQyWtVY2mHcgWngqc" version="13.1.3">
+<mxfile host="" modified="2020-06-20T12:51:42.012Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Code/1.46.1 Chrome/78.0.3904.130 Electron/7.3.1 Safari/537.36" etag="u_EyapvHiERCl4YO4gzE" version="13.1.3">
     <diagram id="6hGFLwfOUW9BJ-s0fimq" name="Page-1">
-        <mxGraphModel dx="1174" dy="623" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
+        <mxGraphModel dx="758" dy="539" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
             <root>
                 <mxCell id="0"/>
                 <mxCell id="1" parent="0"/>
-                <mxCell id="26" value="Worker Node" style="verticalAlign=top;align=left;spacingTop=8;spacingLeft=2;spacingRight=12;shape=cube;size=10;direction=south;fontStyle=4;html=1;" vertex="1" parent="1">
+                <mxCell id="26" value="Worker Node" style="verticalAlign=top;align=left;spacingTop=8;spacingLeft=2;spacingRight=12;shape=cube;size=10;direction=south;fontStyle=4;html=1;" parent="1" vertex="1">
                     <mxGeometry x="85" y="760" width="180" height="120" as="geometry"/>
                 </mxCell>
-                <mxCell id="22" value="Firewall" style="verticalAlign=top;align=left;spacingTop=8;spacingLeft=2;spacingRight=12;shape=cube;size=10;direction=south;fontStyle=4;html=1;" vertex="1" parent="1">
-                    <mxGeometry x="210" y="410" width="460" height="180" as="geometry"/>
+                <mxCell id="22" value="Firewall" style="verticalAlign=top;align=left;spacingTop=8;spacingLeft=2;spacingRight=12;shape=cube;size=10;direction=south;fontStyle=4;html=1;" parent="1" vertex="1">
+                    <mxGeometry x="210" y="410" width="460" height="210" as="geometry"/>
                 </mxCell>
-                <mxCell id="6" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0;exitDx=180;exitDy=185;endArrow=none;endFill=0;exitPerimeter=0;entryX=0;entryY=0;entryDx=0;entryDy=85;entryPerimeter=0;" parent="1" source="22" target="26" edge="1">
+                <mxCell id="6" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1.002;exitY=0.384;exitDx=0;exitDy=0;endArrow=none;endFill=0;exitPerimeter=0;entryX=0;entryY=0;entryDx=0;entryDy=85;entryPerimeter=0;" parent="1" source="22" target="26" edge="1">
                     <mxGeometry relative="1" as="geometry">
                         <mxPoint x="255" y="770" as="targetPoint"/>
                         <Array as="points">
-                            <mxPoint x="425" y="590"/>
+                            <mxPoint x="485" y="620"/>
+                            <mxPoint x="425" y="620"/>
                             <mxPoint x="425" y="740"/>
                             <mxPoint x="180" y="740"/>
                         </Array>
@@ -36,16 +37,16 @@
                 <mxCell id="8" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0;exitDx=0;exitDy=85;endArrow=none;endFill=0;exitPerimeter=0;" parent="1" source="29" edge="1">
                     <mxGeometry relative="1" as="geometry">
                         <mxPoint x="424.9999999999998" y="785" as="sourcePoint"/>
-                        <mxPoint x="425" y="590" as="targetPoint"/>
+                        <mxPoint x="425" y="620" as="targetPoint"/>
                     </mxGeometry>
                 </mxCell>
-                <mxCell id="7" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0;exitDx=0;exitDy=85;endArrow=none;endFill=0;exitPerimeter=0;" parent="1" source="30" edge="1">
+                <mxCell id="7" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0;exitDx=0;exitDy=85;endArrow=none;endFill=0;exitPerimeter=0;entryX=1.012;entryY=0.531;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="30" edge="1" target="22">
                     <mxGeometry relative="1" as="geometry">
                         <mxPoint x="425" y="590" as="targetPoint"/>
                         <mxPoint x="594.9999999999998" y="785" as="sourcePoint"/>
                         <Array as="points">
                             <mxPoint x="670" y="740"/>
-                            <mxPoint x="425" y="740"/>
+                            <mxPoint x="426" y="740"/>
                         </Array>
                     </mxGeometry>
                 </mxCell>
@@ -81,33 +82,60 @@
                 <mxCell id="20" value="0.0.0.0/0" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;" parent="1" vertex="1">
                     <mxGeometry x="205" y="250" width="60" height="20" as="geometry"/>
                 </mxCell>
-                <mxCell id="23" value="&amp;lt;service&amp;gt;&lt;br&gt;nftables-exporter" style="html=1;" vertex="1" parent="1">
-                    <mxGeometry x="240" y="520" width="110" height="50" as="geometry"/>
+                <mxCell id="23" value="&amp;lt;service&amp;gt;&lt;br&gt;nftables-exporter" style="html=1;" parent="1" vertex="1">
+                    <mxGeometry x="240" y="557" width="110" height="50" as="geometry"/>
                 </mxCell>
-                <mxCell id="24" value="&amp;lt;service&amp;gt;&lt;br&gt;node-exporter" style="html=1;" vertex="1" parent="1">
-                    <mxGeometry x="385" y="520" width="110" height="50" as="geometry"/>
+                <mxCell id="24" value="&amp;lt;service&amp;gt;&lt;br&gt;node-exporter" style="html=1;" parent="1" vertex="1">
+                    <mxGeometry x="385" y="557" width="110" height="50" as="geometry"/>
                 </mxCell>
-                <mxCell id="25" value="droptailer" style="html=1;" vertex="1" parent="1">
-                    <mxGeometry x="530" y="520" width="110" height="50" as="geometry"/>
+                <mxCell id="25" value="droptailer" style="html=1;" parent="1" vertex="1">
+                    <mxGeometry x="530" y="557" width="110" height="50" as="geometry"/>
                 </mxCell>
-                <mxCell id="29" value="Worker Node" style="verticalAlign=top;align=left;spacingTop=8;spacingLeft=2;spacingRight=12;shape=cube;size=10;direction=south;fontStyle=4;html=1;" vertex="1" parent="1">
+                <mxCell id="29" value="Worker Node" style="verticalAlign=top;align=left;spacingTop=8;spacingLeft=2;spacingRight=12;shape=cube;size=10;direction=south;fontStyle=4;html=1;" parent="1" vertex="1">
                     <mxGeometry x="330" y="760" width="180" height="120" as="geometry"/>
                 </mxCell>
-                <mxCell id="30" value="Worker Node" style="verticalAlign=top;align=left;spacingTop=8;spacingLeft=2;spacingRight=12;shape=cube;size=10;direction=south;fontStyle=4;html=1;" vertex="1" parent="1">
+                <mxCell id="30" value="Worker Node" style="verticalAlign=top;align=left;spacingTop=8;spacingLeft=2;spacingRight=12;shape=cube;size=10;direction=south;fontStyle=4;html=1;" parent="1" vertex="1">
                     <mxGeometry x="575" y="760" width="180" height="120" as="geometry"/>
                 </mxCell>
-                <mxCell id="31" value="droptailer" style="html=1;" vertex="1" parent="1">
+                <mxCell id="31" value="droptailer" style="html=1;" parent="1" vertex="1">
                     <mxGeometry x="610" y="810" width="110" height="50" as="geometry"/>
                 </mxCell>
-                <mxCell id="32" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.75;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="25" target="31">
+                <mxCell id="32" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.75;entryY=0;entryDx=0;entryDy=0;" parent="1" source="25" target="31" edge="1">
                     <mxGeometry relative="1" as="geometry"/>
                 </mxCell>
-                <mxCell id="34" value="send nftables drops&lt;br&gt;&amp;lt;grpc&amp;gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="32">
+                <mxCell id="34" value="send nftables drops&lt;br&gt;&amp;lt;grpc&amp;gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="32" vertex="1" connectable="0">
                     <mxGeometry x="-0.3092" y="37" relative="1" as="geometry">
-                        <mxPoint x="0.07000000000000028" y="-23.03" as="offset"/>
+                        <mxPoint x="2.7755575615628914e-16" y="-3" as="offset"/>
+                    </mxGeometry>
+                </mxCell>
+                <mxCell id="38" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="35" target="36">
+                    <mxGeometry relative="1" as="geometry"/>
+                </mxCell>
+                <mxCell id="39" value="consume eve.json" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="38">
+                    <mxGeometry x="0.1333" y="-1" relative="1" as="geometry">
+                        <mxPoint x="-11.9" y="-11" as="offset"/>
+                    </mxGeometry>
+                </mxCell>
+                <mxCell id="40" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="35" target="41">
+                    <mxGeometry relative="1" as="geometry">
+                        <mxPoint x="90" y="525" as="targetPoint"/>
+                    </mxGeometry>
+                </mxCell>
+                <mxCell id="42" value="send events&lt;br&gt;basic auth" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="40">
+                    <mxGeometry x="-0.073" y="2" relative="1" as="geometry">
+                        <mxPoint x="-14.29" y="-17" as="offset"/>
                     </mxGeometry>
                 </mxCell>
+                <mxCell id="35" value="evebox-agent" style="html=1;" vertex="1" parent="1">
+                    <mxGeometry x="240" y="500" width="110" height="50" as="geometry"/>
+                </mxCell>
+                <mxCell id="36" value="suricata" style="html=1;" vertex="1" parent="1">
+                    <mxGeometry x="530" y="500" width="110" height="50" as="geometry"/>
+                </mxCell>
+                <mxCell id="41" value="evebox-server" style="html=1;" vertex="1" parent="1">
+                    <mxGeometry x="10" y="500" width="110" height="50" as="geometry"/>
+                </mxCell>
             </root>
         </mxGraphModel>
     </diagram>
-</mxfile>
+</mxfile>
@@ -15,6 +15,9 @@ spec:
   - JSONPath: .spec.internalprefixes
     name: InternalPrefixes
     type: string
+  - JSONPath: .spec.ids.serverurl
+    name: IDS
+    type: string
   group: metal-stack.io
   names:
     kind: Firewall
@@ -43,9 +46,28 @@ spec:
         spec:
           description: FirewallSpec defines the desired state of Firewall
           properties:
+            clusterid:
+              description: ClusterID the uuid of the cluster
+              type: string
             dryrun:
               description: DryRun if set to true, firewall rules are not applied
               type: boolean
+            ids:
+              description: IDS configuration
+              properties:
+                basicauthenabled:
+                  description: BasicAuthEnabled must be set to true if event sink
+                    requires username and password if set to true a secret in the
+                    firewall namespace with the name "ids" in the firewall namespace
+                    must be present it must also contain a username and password data
+                    object
+                  type: boolean
+                serverurl:
+                  description: ServerURL the url where the IDS
+                  type: string
+              required:
+              - basicauthenabled
+              type: object
             internalprefixes:
               description: InternalPrefixes specify prefixes which are considered
                 local to the partition or all regions. Traffic to/from these prefixes
@@ -60,6 +82,10 @@ spec:
               description: TrafficControl defines where to store the generated ipv4
                 firewall rules on disk
               type: string
+            projectid:
+              description: ProjectID the uuid of the project this cluster belongs
+                to
+              type: string
             ratelimits:
               description: RateLimits allows configuration of rate limit rules for
                 interfaces.