Skip to content

Commit 71d4a8a

Browse files
vknabelvknabel
committed
feat.
1 parent 27c7cef commit 71d4a8a

File tree

5 files changed

+52
-5
lines changed

5 files changed

+52
-5
lines changed

capi-lab/roles/firewall-controller-manager/defaults/main.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,3 +17,8 @@ firewall_controller_manager_shoot_access_token_secret: "shoot-access-firewall-co
1717

1818
firewall_controller_manager_secrets_server:
1919
firewall_controller_manager_ca_bundle:
20+
21+
firewall_controller_manager_crd_fetch_base_url: "https://raw.githubusercontent.com/metal-stack/firewall-controller-manager/refs/heads/"
22+
# TODO:
23+
# firewall_controller_manager_crd_fetch_base_url: "https://raw.githubusercontent.com/metal-stack/firewall-controller-manager/refs/tags/"
24+
firewall_controller_manager_image_tag: initial-firewall-ruleset

capi-lab/roles/firewall-controller-manager/tasks/main.yaml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,14 +14,13 @@
1414

1515
- name: Deploy firewall-controller-manager CRDs
1616
k8s:
17-
definition: "{{ lookup('url', 'https://raw.githubusercontent.com/metal-stack/firewall-controller-manager/refs/tags/' + firewall_controller_manager_image_tag + '/config/crds/' + item, split_lines=False) }}"
17+
definition: "{{ lookup('url', firewall_controller_manager_crd_fetch_base_url + firewall_controller_manager_image_tag + '/config/crds/' + item, split_lines=False) }}"
1818
namespace: "{{ firewall_controller_manager_namespace }}"
1919
loop:
2020
- firewall.metal-stack.io_firewalldeployments.yaml
2121
- firewall.metal-stack.io_firewallmonitors.yaml
2222
- firewall.metal-stack.io_firewalls.yaml
2323
- firewall.metal-stack.io_firewallsets.yaml
24-
2524
# - name: Deploy firewall-controller-manager
2625
# k8s:
2726
# definition:

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ go 1.23.0
44

55
require (
66
github.com/go-logr/logr v1.4.2
7-
github.com/metal-stack/firewall-controller-manager v0.4.3
7+
github.com/metal-stack/firewall-controller-manager v0.4.4-0.20241121151352-d3362457f60b
88
github.com/metal-stack/metal-go v0.37.2
99
github.com/metal-stack/metal-lib v0.18.4
1010
github.com/onsi/ginkgo/v2 v2.20.2

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -140,8 +140,8 @@ github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNB
140140
github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
141141
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
142142
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
143-
github.com/metal-stack/firewall-controller-manager v0.4.3 h1:WU5bqD710gUtzyA2NdWJuSveCbOhllQ7ybpgUg7aJW8=
144-
github.com/metal-stack/firewall-controller-manager v0.4.3/go.mod h1:J/3LHcvfJCpEEC4yk+WD0exh3btaScCaFkzbnbOsqrY=
143+
github.com/metal-stack/firewall-controller-manager v0.4.4-0.20241121151352-d3362457f60b h1:MKtYVt1QPVSd9LzTW532QzVz9c+hIUst7+8SmxhM8us=
144+
github.com/metal-stack/firewall-controller-manager v0.4.4-0.20241121151352-d3362457f60b/go.mod h1:J/3LHcvfJCpEEC4yk+WD0exh3btaScCaFkzbnbOsqrY=
145145
github.com/metal-stack/metal-go v0.37.2 h1:SDIuV43y09kmwtHfsReOZoZ7c2F+lNP4iIhazfJL5tQ=
146146
github.com/metal-stack/metal-go v0.37.2/go.mod h1:3MJTYCS4YJz8D8oteTKhjpaAKNMMjMKYDrIy9awHGtQ=
147147
github.com/metal-stack/metal-lib v0.18.4 h1:7HnfSwSbrKNHU+i6i79YFk/eeuhBhwIEHWpGqS7pYCc=

internal/controller/metalstackcluster_controller.go

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -433,6 +433,49 @@ func (r *clusterReconciler) ensureFirewallDeployment(nodeNetworkID string) (*fcm
433433
tag.ClusterID: string(r.infraCluster.GetUID()),
434434
}
435435

436+
deploy.Spec.Template.Spec.InitialRuleSet = &fcmv2.InitialRuleSet{
437+
Egress: []fcmv2.EgressRule{
438+
{
439+
Comment: "allow outgoing http",
440+
Ports: []int32{80},
441+
Protocol: fcmv2.NetworkProtocolTCP,
442+
To: []string{"0.0.0.0/0"},
443+
},
444+
{
445+
Comment: "allow outgoing https",
446+
Ports: []int32{443},
447+
Protocol: fcmv2.NetworkProtocolTCP,
448+
To: []string{"0.0.0.0/0"},
449+
},
450+
{
451+
Comment: "allow outgoing dns via tcp",
452+
Ports: []int32{53},
453+
Protocol: fcmv2.NetworkProtocolTCP,
454+
To: []string{"0.0.0.0/0"},
455+
},
456+
{
457+
Comment: "allow outgoing dns and ntp via udp",
458+
Ports: []int32{53, 123},
459+
Protocol: fcmv2.NetworkProtocolUDP,
460+
To: []string{"0.0.0.0/0"},
461+
},
462+
},
463+
Ingress: []fcmv2.IngressRule{
464+
{
465+
Comment: "allow incoming ssh",
466+
Ports: []int32{22},
467+
Protocol: fcmv2.NetworkProtocolTCP,
468+
From: []string{"0.0.0.0/0"}, // TODO: restrict cidr
469+
},
470+
{
471+
Comment: "allow incoming https to kube-apiserver",
472+
Ports: []int32{443},
473+
Protocol: fcmv2.NetworkProtocolTCP,
474+
From: []string{"0.0.0.0/0"}, // TODO: restrict cidr
475+
},
476+
},
477+
}
478+
436479
if deploy.Spec.Template.Labels == nil {
437480
deploy.Spec.Template.Labels = map[string]string{}
438481
}

0 commit comments

Comments
 (0)