starlingx/docs
Code Issues Proposed changes

Input for L3 Firewall for all WRCP Platform Interfaces (dsr8)

Browse Source 
- Added information to allow operator firewall customization update for all platform networks.
- Minor updates.
- Editorial fixes.
- Added one  new item in the abbrevs.txt file.
- Minor fix.

Story: 2010591
Task: 48703

Change-Id: I727d7b5412c50e59f97839f62ef03359eff78b81
Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com>
This commit is contained in:
Elaine Fonaro 2023-08-30 14:14:20 +00:00
parent 463fcd4674
commit edf05c3460
3 changed files with 328 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

334
doc/source/security/kubernetes/security-default-firewall-rules.rst
View File

@ -6,80 +6,96 @@
Default Firewall Rules
======================
|prod| applies default firewall rules on the |OAM| network. The default rules
are recommended for most applications.
|prod| applies default firewall rules on the |OAM|, management, cluster-host,
pxeboot, admin, and storage platform networks. Each platform network will have
one ``GlobalNetworkPolicy`` per node role (controller or worker). The default
rules are recommended for most applications.
Traffic is permitted for the following protocols and ports to allow access
for platform services. By default, all other traffic is blocked.
You can view the configured firewall rules with the following command:
You can view the configured |OAM| firewall rules with the following command:
.. code-block:: none
~(keystone_admin)]$ kubectl describe globalnetworkpolicy
Name: controller-oam-if-gnp
Namespace:
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-oam-if-gnp"},"spec":...
API Version: crd.projectcalico.org/v1
Kind: GlobalNetworkPolicy
Metadata:
Creation Timestamp: 2019-08-08T20:18:34Z
Generation: 1
Resource Version: 1395
Self Link: /apis/crd.projectcalico.org/v1/globalnetworkpolicies/controller-oam-if-gnp
UID: b28b74fe-ba19-11e9-9176-ac1f6b0eef28
Spec:
Apply On Forward: false
Egress:
Action: Allow
Ip Version: 4
Protocol: TCP
Action: Allow
Ip Version: 4
Protocol: UDP
Action: Allow
Protocol: ICMP
Ingress:
Action: Allow
Destination:
Ports:
22
18002
4545
15491
6385
7777
6443
9001
9002
7480
9311
5000
8080
Ip Version: 4
Protocol: TCP
Action: Allow
Destination:
Ports:
2222
2223
123
161
162
319
320
Ip Version: 4
Protocol: UDP
Action: Allow
Protocol: ICMP
Order: 100
Selector: has(iftype) && iftype == 'oam'
Types:
Ingress
Egress
Events: <none>
[sysadmin@controller-0 ~(keystone_admin)]$ kubectl get globalnetworkpolicies.crd.projectcalico.org controller-oam-if-gnp -o yaml
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-oam-if-gnp"},"spec":{"applyOnForward":true,"egress":[{"action":"Allow","ipVersion":6,"metadata":{"annotations":{"name":"stx-egr-controller-oam-tcp6"}},"protocol":"TCP"},{"action":"Allow","ipVersion":6,"metadata":{"annotations":{"name":"stx-egr-controller-oam-udp6"}},"protocol":"UDP"},{"action":"Allow","ipVersion":6,"metadata":{"annotations":{"name":"stx-egr-controller-oam-icmpv66"}},"protocol":"ICMPv6"}],"ingress":[{"action":"Allow","destination":{"ports":[22,4545,5000,6385,6443,7480,7777,9001,9002,9311,15491,18002]},"ipVersion":6,"metadata":{"annotations":{"name":"stx-ingr-controller-oam-tcp6"}},"protocol":"TCP"},{"action":"Allow","destination":{"ports":[123,320,2222,2223]},"ipVersion":6,"metadata":{"annotations":{"name":"stx-ingr-controller-oam-udp6"}},"protocol":"UDP"},{"action":"Allow","ipVersion":6,"metadata":{"annotations":{"name":"stx-ingr-controller-oam-icmpv66"}},"protocol":"ICMPv6"}],"order":100,"selector":"has(nodetype) \u0026\u0026 nodetype == 'controller' \u0026\u0026 has(iftype) \u0026\u0026 iftype contains 'oam'","types":["Ingress","Egress"]}}
creationTimestamp: "2023-07-26T02:53:50Z"
generation: 1
name: controller-oam-if-gnp
resourceVersion: "189409"
uid: d07c92ca-5cb6-4175-8891-16b4f66f5da4
spec:
applyOnForward: false
egress:
- action: Allow
ipVersion: 6
metadata:
annotations:
name: stx-egr-controller-oam-tcp6
protocol: TCP
- action: Allow
ipVersion: 6
metadata:
annotations:
name: stx-egr-controller-oam-udp6
protocol: UDP
- action: Allow
ipVersion: 6
metadata:
annotations:
name: stx-egr-controller-oam-icmpv66
protocol: ICMPv6
ingress:
- action: Allow
destination:
ports:
- 22
- 4545
- 5000
- 6385
- 6443
- 7480
- 7777
- 9001
- 9002
- 9311
- 15491
- 18002
ipVersion: 6
metadata:
annotations:
name: stx-ingr-controller-oam-tcp6
protocol: TCP
- action: Allow
destination:
ports:
- 123
- 320
- 2222
- 2223
ipVersion: 6
metadata:
annotations:
name: stx-ingr-controller-oam-udp6
protocol: UDP
- action: Allow
ipVersion: 6
metadata:
annotations:
name: stx-ingr-controller-oam-icmpv66
protocol: ICMPv6
order: 100
selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains
'oam'
types:
- Ingress
- Egress
Where:
@ -133,6 +149,190 @@ Where:
| udp | 2223 | service manager |
+------------------------+------------------------+------------------------+
For internal traffic, the networks management, cluster-host, pxeboot, admin, and storage only filter
by source address and L4 protocol, not restricting the L4 port access. As can be seen in the example
below for the management network:
.. code-block:: none
root@controller-0:/var/home/sysadmin# kubectl get globalnetworkpolicies.crd.projectcalico.org controller-mgmt-if-gnp -o yaml
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-mgmt-if-gnp"},"spec":{"applyOnForward":true,"egress":[{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-egr-controller-mgmt-tcp4"}},"protocol":"TCP"},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-egr-controller-mgmt-udp4"}},"protocol":"UDP"},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-egr-controller-mgmt-icmp4"}},"protocol":"ICMP"},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-egr-controller-mgmt-igmp4"}},"protocol":2}],"ingress":[{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-ingr-controller-mgmt-tcp4"}},"protocol":"TCP","source":{"nets":["10.8.87.0/24"]}},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-ingr-controller-mgmt-udp4"}},"protocol":"UDP","source":{"nets":["10.8.87.0/24"]}},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-ingr-controller-mgmt-icmp4"}},"protocol":"ICMP","source":{"nets":["10.8.87.0/24"]}},{"action":"Allow","destination":{"ports":[67]},"ipVersion":4,"metadata":{"annotations":{"name":"stx-ingr-controller-dhcp-udp4"}},"protocol":"UDP"},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-ingr-controller-mgmt-igmp4"}},"protocol":2,"source":{"nets":["10.8.87.0/24"]}}],"order":100,"selector":"has(nodetype) \u0026\u0026 nodetype == 'controller' \u0026\u0026 has(iftype) \u0026\u0026 iftype contains 'mgmt'","types":["Ingress","Egress"]}}
creationTimestamp: "2023-08-03T06:01:49Z"
generation: 1
name: controller-mgmt-if-gnp
resourceVersion: "136914"
uid: 8ec83ec2-2664-46cd-907f-d48360e50029
spec:
applyOnForward: true
egress:
- action: Allow
ipVersion: 4
metadata:
annotations:
name: stx-egr-controller-mgmt-tcp4
protocol: TCP
- action: Allow
ipVersion: 4
metadata:
annotations:
name: stx-egr-controller-mgmt-udp4
protocol: UDP
- action: Allow
ipVersion: 4
metadata:
annotations:
name: stx-egr-controller-mgmt-icmp4
protocol: ICMP
- action: Allow
ipVersion: 4
metadata:
annotations:
name: stx-egr-controller-mgmt-igmp4
protocol: 2
ingress:
- action: Allow
ipVersion: 4
metadata:
annotations:
name: stx-ingr-controller-mgmt-tcp4
protocol: TCP
source:
nets:
- 10.8.87.0/24
- action: Allow
ipVersion: 4
metadata:
annotations:
name: stx-ingr-controller-mgmt-udp4
protocol: UDP
source:
nets:
- 10.8.87.0/24
- action: Allow
ipVersion: 4
metadata:
annotations:
name: stx-ingr-controller-mgmt-icmp4
protocol: ICMP
source:
nets:
- 10.8.87.0/24
- action: Allow
destination:
ports:
- 67
ipVersion: 4
metadata:
annotations:
name: stx-ingr-controller-dhcp-udp4
protocol: UDP
- action: Allow
ipVersion: 4
metadata:
annotations:
name: stx-ingr-controller-mgmt-igmp4
protocol: 2
source:
nets:
- 10.8.87.0/24
order: 100
selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains
'mgmt'
types:
- Ingress
- Egress
In a |prod-dc| configuration there will be dedicated rules to allow communications
between the the system controller and subcloud. These are added in the management
or admin network. The example below shows a rule added in the system controller
to allow TCP traffic in the management network:
.. code-block:: none
- action: Allow
metadata:
annotations:
name: stx-ingr-controller-systemcontroller-tcp6
destination:
ports:
- 22
- 389
- 636
- 4546
- 5001
- 5492
- 5498
- 6386
- 6443
- 8080
- 8220
- 9001
- 9002
- 9312
- 18003
- 31001
- 31090
- 31091
- 31092
- 31093
- 31094
- 31095
- 31096
- 31097
- 31098
- 31099
ipVersion: 6
protocol: TCP
source:
nets:
- fd00:8:24::/64
- fd00:8:25::/64
- fd00:8:26::/64
- fd00:8:27::/64
The values provided in the source: > nets: section above are the subcloud
management networks controlled by this system controller, in the same way the
subcloud management (or admin) firewall will contain a TCP rule containing the
system controller management network:
.. code-block:: none
- action: Allow
destination:
ports:
- 22
- 4546
- 5001
- 5492
- 6386
- 8080
- 8220
- 9001
- 9002
- 9312
- 18003
- 31001
ipVersion: 6
metadata:
annotations:
name: stx-ingr-controller-subcloud-tcp6
protocol: TCP
source:
nets:
- fd00:8:32::/64
Each protocol (TCP, UDP) contains a specific set of L4 ports depending on the
role (system controller or subcloud). The selected L4 ports are described in
:ref:`distributed-cloud-ports-reference`.
.. note::
Custom rules may be added for other requirements. For more information,
see |sec-doc|: :ref:`Firewall Options <security-firewall-options>`.

72
doc/source/security/kubernetes/security-firewall-options.rst
View File

@ -6,25 +6,74 @@
Modify Firewall Options
=======================
|prod| incorporates a default firewall for the |OAM| network. You can configure
additional Kubernetes Network Policies in order to augment or override the
default rules.
|prod| incorporates a default firewall for the platform networks (|OAM|,
management, cluster-host, pxeboot, admin, and storage). You can configure
additional Kubernetes Network Policies to augment or override the default rules.
The |prod| firewall uses the Kubernetes Network Policies (using the Calico
|CNI|) to implement a firewall on the |OAM| network.
|CNI|) to implement a firewall on the desired platform network.
A minimal set of rules is always applied before any custom rules, as follows:
The available labels to place the new ``GlobalNetworkPolicy`` selectors are:
.. _security-firewall-options-ul-xw2-qkw-g3b:
- Non-|OAM| traffic is always accepted.
``ifname``
nodename.interface-name e.g.: controller-0.mgmt0
- Egress traffic is always accepted.
``iftype``
mgmt, admin, cluster-host, pxeboot, storage
- |SM| traffic is always accepted.
``nodetype``
controller or worker
- |SSH| traffic is always accepted.
Since a single interface can receive one or more networks, the ``iftype`` label
concatenates with "." as a separator, e.g.: ``cluster-host.mgmt.pxeboot`` (for
this case the host endpoint (``HostEndpoint`` in the example below) will use the
rules for all |GNPs| that contain those labels in the selector).
To get the installed labels check the host endpoints previously created:
.. code-block:: none
$ kubectl get hostendpoints.crd.projectcalico.org
NAME AGE
controller-0-cluster0-if-hep 8h
controller-0-mgmt0-if-hep 8h
controller-0-oam-if-hep 8h
controller-0-pxeboot0-if-hep 8h
controller-1-cluster0-if-hep 7h58m
controller-1-mgmt0-if-hep 7h58m
controller-1-oam-if-hep 7h58m
controller-1-pxeboot0-if-hep 7h58m
.. code-block:: none
$ kubectl get hostendpoints.crd.projectcalico.org controller-0-mgmt0-if-hep -o yaml
apiVersion: crd.projectcalico.org/v1
kind: HostEndpoint
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"crd.projectcalico.org/v1","kind":"HostEndpoint","metadata":{"annotations":{},"labels":{"ifname":"controller-0.mgmt0","iftype":"mgmt","nodetype":"controller"},"name":"controller-0-mgmt0-if-hep"},"spec":{"interfaceName":"vlan383","node":"controller-0"}}
creationTimestamp: "2023-08-03T06:01:50Z"
generation: 1
labels:
ifname: controller-0.mgmt0
iftype: mgmt
nodetype: controller
name: controller-0-mgmt0-if-hep
resourceVersion: "2861"
uid: 591694b5-e0ef-4562-a050-000e9473103a
spec:
interfaceName: vlan383
node: controller-0
All platform interfaces have a ``HostEndpoint`` attached to it, hence all traffic
is blocked by default. The ``GlobalNetworkPolicies`` associated with a particular
``HostEndpoint`` provide the permission rules. All ``GlobalNetworkPolicies`` provided by
|prod| are set with order 100.
You can introduce custom rules by creating and installing custom Kubernetes
@ -44,10 +93,9 @@ The following example opens up default HTTPS port 443.
- action: Allow
destination:
ports:
- 443
protocol: TCP
order: 500
selector: has(iftype) && iftype == 'oam'
selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains 'oam'
types:
- Ingress
EOF
@ -85,7 +133,7 @@ describe command. For example:
443
Protocol: TCP
Order: 500
Selector: has(iftype) && iftype == 'oam'
Selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains 'oam'
Types:
Ingress
Events: <none>

1
doc/source/shared/abbrevs.txt
View File

@ -56,6 +56,7 @@
.. |FQDN| replace:: :abbr:`FQDN (Fully Qualified Domain Name)`
.. |FQDNs| replace:: :abbr:`FQDNs (Fully Qualified Domain Names)`
.. |GNP| replace:: :abbr:`GNP (Global Network Policy)`
.. |GNPs| replace:: :abbr:`GNPs (Global Network Policies)`
.. |GNSS| replace:: :abbr:`GNSS (Global Navigation Satellite System)`
.. |GCC| replace:: :abbr:`GCC (GNU Compiler Collection)`
.. |GPU| replace:: :abbr:`GPU (Graphics Processing Unit)`