From edf05c34608a709c84cf4fcde85140e04a5ee340 Mon Sep 17 00:00:00 2001 From: Elaine Fonaro Date: Wed, 30 Aug 2023 14:14:20 +0000 Subject: [PATCH] Input for L3 Firewall for all WRCP Platform Interfaces (dsr8) - Added information to allow operator firewall customization update for all platform networks. - Minor updates. - Editorial fixes. - Added one new item in the abbrevs.txt file. - Minor fix. Story: 2010591 Task: 48703 Change-Id: I727d7b5412c50e59f97839f62ef03359eff78b81 Signed-off-by: Elaine Fonaro --- .../security-default-firewall-rules.rst | 334 ++++++++++++++---- .../kubernetes/security-firewall-options.rst | 72 +++- doc/source/shared/abbrevs.txt | 1 + 3 files changed, 328 insertions(+), 79 deletions(-) diff --git a/doc/source/security/kubernetes/security-default-firewall-rules.rst b/doc/source/security/kubernetes/security-default-firewall-rules.rst index 5a9d32a3e..53839c27f 100644 --- a/doc/source/security/kubernetes/security-default-firewall-rules.rst +++ b/doc/source/security/kubernetes/security-default-firewall-rules.rst @@ -6,80 +6,96 @@ Default Firewall Rules ====================== -|prod| applies default firewall rules on the |OAM| network. The default rules -are recommended for most applications. +|prod| applies default firewall rules on the |OAM|, management, cluster-host, +pxeboot, admin, and storage platform networks. Each platform network will have +one ``GlobalNetworkPolicy`` per node role (controller or worker). The default +rules are recommended for most applications. Traffic is permitted for the following protocols and ports to allow access for platform services. By default, all other traffic is blocked. -You can view the configured firewall rules with the following command: +You can view the configured |OAM| firewall rules with the following command: .. code-block:: none - ~(keystone_admin)]$ kubectl describe globalnetworkpolicy - Name: controller-oam-if-gnp - Namespace: - Labels: - Annotations: kubectl.kubernetes.io/last-applied-configuration: - {"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-oam-if-gnp"},"spec":... - API Version: crd.projectcalico.org/v1 - Kind: GlobalNetworkPolicy - Metadata: - Creation Timestamp: 2019-08-08T20:18:34Z - Generation: 1 - Resource Version: 1395 - Self Link: /apis/crd.projectcalico.org/v1/globalnetworkpolicies/controller-oam-if-gnp - UID: b28b74fe-ba19-11e9-9176-ac1f6b0eef28 - Spec: - Apply On Forward: false - Egress: - Action: Allow - Ip Version: 4 - Protocol: TCP - Action: Allow - Ip Version: 4 - Protocol: UDP - Action: Allow - Protocol: ICMP - Ingress: - Action: Allow - Destination: - Ports: - 22 - 18002 - 4545 - 15491 - 6385 - 7777 - 6443 - 9001 - 9002 - 7480 - 9311 - 5000 - 8080 - Ip Version: 4 - Protocol: TCP - Action: Allow - Destination: - Ports: - 2222 - 2223 - 123 - 161 - 162 - 319 - 320 - Ip Version: 4 - Protocol: UDP - Action: Allow - Protocol: ICMP - Order: 100 - Selector: has(iftype) && iftype == 'oam' - Types: - Ingress - Egress - Events: + [sysadmin@controller-0 ~(keystone_admin)]$ kubectl get globalnetworkpolicies.crd.projectcalico.org controller-oam-if-gnp -o yaml + apiVersion: crd.projectcalico.org/v1 + kind: GlobalNetworkPolicy + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-oam-if-gnp"},"spec":{"applyOnForward":true,"egress":[{"action":"Allow","ipVersion":6,"metadata":{"annotations":{"name":"stx-egr-controller-oam-tcp6"}},"protocol":"TCP"},{"action":"Allow","ipVersion":6,"metadata":{"annotations":{"name":"stx-egr-controller-oam-udp6"}},"protocol":"UDP"},{"action":"Allow","ipVersion":6,"metadata":{"annotations":{"name":"stx-egr-controller-oam-icmpv66"}},"protocol":"ICMPv6"}],"ingress":[{"action":"Allow","destination":{"ports":[22,4545,5000,6385,6443,7480,7777,9001,9002,9311,15491,18002]},"ipVersion":6,"metadata":{"annotations":{"name":"stx-ingr-controller-oam-tcp6"}},"protocol":"TCP"},{"action":"Allow","destination":{"ports":[123,320,2222,2223]},"ipVersion":6,"metadata":{"annotations":{"name":"stx-ingr-controller-oam-udp6"}},"protocol":"UDP"},{"action":"Allow","ipVersion":6,"metadata":{"annotations":{"name":"stx-ingr-controller-oam-icmpv66"}},"protocol":"ICMPv6"}],"order":100,"selector":"has(nodetype) \u0026\u0026 nodetype == 'controller' \u0026\u0026 has(iftype) \u0026\u0026 iftype contains 'oam'","types":["Ingress","Egress"]}} + creationTimestamp: "2023-07-26T02:53:50Z" + generation: 1 + name: controller-oam-if-gnp + resourceVersion: "189409" + uid: d07c92ca-5cb6-4175-8891-16b4f66f5da4 + spec: + applyOnForward: false + egress: + - action: Allow + ipVersion: 6 + metadata: + annotations: + name: stx-egr-controller-oam-tcp6 + protocol: TCP + - action: Allow + ipVersion: 6 + metadata: + annotations: + name: stx-egr-controller-oam-udp6 + protocol: UDP + - action: Allow + ipVersion: 6 + metadata: + annotations: + name: stx-egr-controller-oam-icmpv66 + protocol: ICMPv6 + ingress: + - action: Allow + destination: + ports: + - 22 + - 4545 + - 5000 + - 6385 + - 6443 + - 7480 + - 7777 + - 9001 + - 9002 + - 9311 + - 15491 + - 18002 + ipVersion: 6 + metadata: + annotations: + name: stx-ingr-controller-oam-tcp6 + protocol: TCP + - action: Allow + destination: + ports: + - 123 + - 320 + - 2222 + - 2223 + ipVersion: 6 + metadata: + annotations: + name: stx-ingr-controller-oam-udp6 + protocol: UDP + - action: Allow + ipVersion: 6 + metadata: + annotations: + name: stx-ingr-controller-oam-icmpv66 + protocol: ICMPv6 + order: 100 + selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains + 'oam' + types: + - Ingress + - Egress Where: @@ -133,6 +149,190 @@ Where: | udp | 2223 | service manager | +------------------------+------------------------+------------------------+ +For internal traffic, the networks management, cluster-host, pxeboot, admin, and storage only filter +by source address and L4 protocol, not restricting the L4 port access. As can be seen in the example +below for the management network: + +.. code-block:: none + + root@controller-0:/var/home/sysadmin# kubectl get globalnetworkpolicies.crd.projectcalico.org controller-mgmt-if-gnp -o yaml + apiVersion: crd.projectcalico.org/v1 + kind: GlobalNetworkPolicy + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-mgmt-if-gnp"},"spec":{"applyOnForward":true,"egress":[{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-egr-controller-mgmt-tcp4"}},"protocol":"TCP"},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-egr-controller-mgmt-udp4"}},"protocol":"UDP"},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-egr-controller-mgmt-icmp4"}},"protocol":"ICMP"},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-egr-controller-mgmt-igmp4"}},"protocol":2}],"ingress":[{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-ingr-controller-mgmt-tcp4"}},"protocol":"TCP","source":{"nets":["10.8.87.0/24"]}},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-ingr-controller-mgmt-udp4"}},"protocol":"UDP","source":{"nets":["10.8.87.0/24"]}},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-ingr-controller-mgmt-icmp4"}},"protocol":"ICMP","source":{"nets":["10.8.87.0/24"]}},{"action":"Allow","destination":{"ports":[67]},"ipVersion":4,"metadata":{"annotations":{"name":"stx-ingr-controller-dhcp-udp4"}},"protocol":"UDP"},{"action":"Allow","ipVersion":4,"metadata":{"annotations":{"name":"stx-ingr-controller-mgmt-igmp4"}},"protocol":2,"source":{"nets":["10.8.87.0/24"]}}],"order":100,"selector":"has(nodetype) \u0026\u0026 nodetype == 'controller' \u0026\u0026 has(iftype) \u0026\u0026 iftype contains 'mgmt'","types":["Ingress","Egress"]}} + creationTimestamp: "2023-08-03T06:01:49Z" + generation: 1 + name: controller-mgmt-if-gnp + resourceVersion: "136914" + uid: 8ec83ec2-2664-46cd-907f-d48360e50029 + spec: + applyOnForward: true + egress: + - action: Allow + ipVersion: 4 + metadata: + annotations: + name: stx-egr-controller-mgmt-tcp4 + protocol: TCP + - action: Allow + ipVersion: 4 + metadata: + annotations: + name: stx-egr-controller-mgmt-udp4 + protocol: UDP + - action: Allow + ipVersion: 4 + metadata: + annotations: + name: stx-egr-controller-mgmt-icmp4 + protocol: ICMP + - action: Allow + ipVersion: 4 + metadata: + annotations: + name: stx-egr-controller-mgmt-igmp4 + protocol: 2 + ingress: + - action: Allow + ipVersion: 4 + metadata: + annotations: + name: stx-ingr-controller-mgmt-tcp4 + protocol: TCP + source: + nets: + - 10.8.87.0/24 + - action: Allow + ipVersion: 4 + metadata: + annotations: + name: stx-ingr-controller-mgmt-udp4 + protocol: UDP + source: + nets: + - 10.8.87.0/24 + - action: Allow + ipVersion: 4 + metadata: + annotations: + name: stx-ingr-controller-mgmt-icmp4 + protocol: ICMP + source: + nets: + - 10.8.87.0/24 + - action: Allow + destination: + ports: + - 67 + ipVersion: 4 + metadata: + annotations: + name: stx-ingr-controller-dhcp-udp4 + protocol: UDP + - action: Allow + ipVersion: 4 + metadata: + annotations: + name: stx-ingr-controller-mgmt-igmp4 + protocol: 2 + source: + nets: + - 10.8.87.0/24 + order: 100 + selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains + 'mgmt' + types: + - Ingress + - Egress + + +In a |prod-dc| configuration there will be dedicated rules to allow communications +between the the system controller and subcloud. These are added in the management +or admin network. The example below shows a rule added in the system controller +to allow TCP traffic in the management network: + +.. code-block:: none + + - action: Allow + metadata: + annotations: + name: stx-ingr-controller-systemcontroller-tcp6 + destination: + ports: + - 22 + - 389 + - 636 + - 4546 + - 5001 + - 5492 + - 5498 + - 6386 + - 6443 + - 8080 + - 8220 + - 9001 + - 9002 + - 9312 + - 18003 + - 31001 + - 31090 + - 31091 + - 31092 + - 31093 + - 31094 + - 31095 + - 31096 + - 31097 + - 31098 + - 31099 + ipVersion: 6 + protocol: TCP + source: + nets: + - fd00:8:24::/64 + - fd00:8:25::/64 + - fd00:8:26::/64 + - fd00:8:27::/64 + + +The values provided in the source: > nets: section above are the subcloud +management networks controlled by this system controller, in the same way the +subcloud management (or admin) firewall will contain a TCP rule containing the +system controller management network: + +.. code-block:: none + + - action: Allow + destination: + ports: + - 22 + - 4546 + - 5001 + - 5492 + - 6386 + - 8080 + - 8220 + - 9001 + - 9002 + - 9312 + - 18003 + - 31001 + ipVersion: 6 + metadata: + annotations: + name: stx-ingr-controller-subcloud-tcp6 + protocol: TCP + source: + nets: + - fd00:8:32::/64 + + +Each protocol (TCP, UDP) contains a specific set of L4 ports depending on the +role (system controller or subcloud). The selected L4 ports are described in +:ref:`distributed-cloud-ports-reference`. + .. note:: Custom rules may be added for other requirements. For more information, see |sec-doc|: :ref:`Firewall Options `. diff --git a/doc/source/security/kubernetes/security-firewall-options.rst b/doc/source/security/kubernetes/security-firewall-options.rst index a7b9db0e3..033a0a93b 100644 --- a/doc/source/security/kubernetes/security-firewall-options.rst +++ b/doc/source/security/kubernetes/security-firewall-options.rst @@ -6,25 +6,74 @@ Modify Firewall Options ======================= -|prod| incorporates a default firewall for the |OAM| network. You can configure -additional Kubernetes Network Policies in order to augment or override the -default rules. +|prod| incorporates a default firewall for the platform networks (|OAM|, +management, cluster-host, pxeboot, admin, and storage). You can configure +additional Kubernetes Network Policies to augment or override the default rules. The |prod| firewall uses the Kubernetes Network Policies (using the Calico -|CNI|) to implement a firewall on the |OAM| network. +|CNI|) to implement a firewall on the desired platform network. -A minimal set of rules is always applied before any custom rules, as follows: +The available labels to place the new ``GlobalNetworkPolicy`` selectors are: .. _security-firewall-options-ul-xw2-qkw-g3b: -- Non-|OAM| traffic is always accepted. +``ifname`` + nodename.interface-name e.g.: controller-0.mgmt0 -- Egress traffic is always accepted. +``iftype`` + mgmt, admin, cluster-host, pxeboot, storage -- |SM| traffic is always accepted. +``nodetype`` + controller or worker -- |SSH| traffic is always accepted. +Since a single interface can receive one or more networks, the ``iftype`` label +concatenates with "." as a separator, e.g.: ``cluster-host.mgmt.pxeboot`` (for +this case the host endpoint (``HostEndpoint`` in the example below) will use the +rules for all |GNPs| that contain those labels in the selector). + + +To get the installed labels check the host endpoints previously created: + +.. code-block:: none + + $ kubectl get hostendpoints.crd.projectcalico.org + NAME AGE + controller-0-cluster0-if-hep 8h + controller-0-mgmt0-if-hep 8h + controller-0-oam-if-hep 8h + controller-0-pxeboot0-if-hep 8h + controller-1-cluster0-if-hep 7h58m + controller-1-mgmt0-if-hep 7h58m + controller-1-oam-if-hep 7h58m + controller-1-pxeboot0-if-hep 7h58m + +.. code-block:: none + + $ kubectl get hostendpoints.crd.projectcalico.org controller-0-mgmt0-if-hep -o yaml + apiVersion: crd.projectcalico.org/v1 + kind: HostEndpoint + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"crd.projectcalico.org/v1","kind":"HostEndpoint","metadata":{"annotations":{},"labels":{"ifname":"controller-0.mgmt0","iftype":"mgmt","nodetype":"controller"},"name":"controller-0-mgmt0-if-hep"},"spec":{"interfaceName":"vlan383","node":"controller-0"}} + creationTimestamp: "2023-08-03T06:01:50Z" + generation: 1 + labels: + ifname: controller-0.mgmt0 + iftype: mgmt + nodetype: controller + name: controller-0-mgmt0-if-hep + resourceVersion: "2861" + uid: 591694b5-e0ef-4562-a050-000e9473103a + spec: + interfaceName: vlan383 + node: controller-0 + +All platform interfaces have a ``HostEndpoint`` attached to it, hence all traffic +is blocked by default. The ``GlobalNetworkPolicies`` associated with a particular +``HostEndpoint`` provide the permission rules. All ``GlobalNetworkPolicies`` provided by +|prod| are set with order 100. You can introduce custom rules by creating and installing custom Kubernetes @@ -44,10 +93,9 @@ The following example opens up default HTTPS port 443. - action: Allow destination: ports: - - 443 protocol: TCP order: 500 - selector: has(iftype) && iftype == 'oam' + selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains 'oam' types: - Ingress EOF @@ -85,7 +133,7 @@ describe command. For example: 443 Protocol: TCP Order: 500 - Selector: has(iftype) && iftype == 'oam' + Selector: has(nodetype) && nodetype == 'controller' && has(iftype) && iftype contains 'oam' Types: Ingress Events: diff --git a/doc/source/shared/abbrevs.txt b/doc/source/shared/abbrevs.txt index 2e77edf05..5e7ee977a 100755 --- a/doc/source/shared/abbrevs.txt +++ b/doc/source/shared/abbrevs.txt @@ -56,6 +56,7 @@ .. |FQDN| replace:: :abbr:`FQDN (Fully Qualified Domain Name)` .. |FQDNs| replace:: :abbr:`FQDNs (Fully Qualified Domain Names)` .. |GNP| replace:: :abbr:`GNP (Global Network Policy)` +.. |GNPs| replace:: :abbr:`GNPs (Global Network Policies)` .. |GNSS| replace:: :abbr:`GNSS (Global Navigation Satellite System)` .. |GCC| replace:: :abbr:`GCC (GNU Compiler Collection)` .. |GPU| replace:: :abbr:`GPU (Graphics Processing Unit)`