Skip to content

Commit 44ced9d

Browse files
Gerrit91Gerrit91
committed
Merge remote-tracking branch 'origin/initial-firewall-ruleset' into initial-firewall-ruleset
2 parents b2b364d + b42f119 commit 44ced9d

File tree

6 files changed

+312
-11
lines changed

6 files changed

+312
-11
lines changed

api/v2/types_firewall.go

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -127,29 +127,42 @@ type FirewallTemplateSpec struct {
127127

128128
// InitialRuleSet is the initial rule set deployed on the firewall.
129129
type InitialRuleSet struct {
130-
Egress []EgressRule
131-
Ingress []IngressRule
130+
// Egress rules to be deployed initially on the firewall.
131+
Egress []EgressRule `json:"egress,omitempty"`
132+
// Ingress rules to be deployed initially on the firewall.
133+
Ingress []IngressRule `json:"ingress,omitempty"`
132134
}
133135

136+
// NetworkProtocol represents the kind of network protocol.
134137
type NetworkProtocol string
135138

136139
const (
140+
// NetworkProtocolTCP represents tcp connections.
137141
NetworkProtocolTCP = "TCP"
142+
// NetworkProtocolUDP represents udp connections.
138143
NetworkProtocolUDP = "UDP"
139144
)
140145

141146
type EgressRule struct {
142-
Comment string
143-
Ports []int32
144-
Protocol NetworkProtocol
145-
To []string
147+
// Comment provides a human readable description of this rule.
148+
Comment string `json:"comment,omitempty"`
149+
// Ports contains all affected network ports.
150+
Ports []int32 `json:"ports"`
151+
// Protocol constraints the protocol this rule applies to.
152+
Protocol NetworkProtocol `json:"protocol"`
153+
// To source address cidrs this rule applies to.
154+
To []string `json:"to"`
146155
}
147156

148157
type IngressRule struct {
149-
Comment string
150-
Ports []int32
151-
Protocol NetworkProtocol
152-
From []string
158+
// Comment provides a human readable description of this rule.
159+
Comment string `json:"comment,omitempty"`
160+
// Ports contains all affected network ports.
161+
Ports []int32 `json:"ports"`
162+
// Protocol constraints the protocol this rule applies to.
163+
Protocol NetworkProtocol `json:"protocol"`
164+
// From source address cidrs this rule applies to.
165+
From []string `json:"from"`
153166
}
154167

155168
// EgressRuleSNAT holds a Source-NAT rule

api/v2/types_utils.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,8 @@ const (
4040
ConditionUnknown ConditionStatus = "Unknown"
4141
)
4242

43-
type Conditions []Condition // nolint:recvcheck
43+
//nolint:recvcheck
44+
type Conditions []Condition
4445

4546
// NewCondition creates a new condition.
4647
func NewCondition(t ConditionType, status ConditionStatus, reason, message string) Condition {

api/v2/zz_generated.deepcopy.go

Lines changed: 84 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crds/firewall.metal-stack.io_firewalldeployments.yaml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,6 +180,75 @@ spec:
180180
Image is the os image of the firewall.
181181
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
182182
type: string
183+
initialRuleSet:
184+
description: InitialRuleSet is the initial firewall ruleset
185+
applied before the firewall-controller starts running.
186+
properties:
187+
egress:
188+
description: Egress rules to be deployed initially on
189+
the firewall.
190+
items:
191+
properties:
192+
comment:
193+
description: Comment provides a human readable description
194+
of this rule.
195+
type: string
196+
ports:
197+
description: Ports contains all affected network
198+
ports.
199+
items:
200+
format: int32
201+
type: integer
202+
type: array
203+
protocol:
204+
description: Protocol constraints the protocol this
205+
rule applies to.
206+
type: string
207+
to:
208+
description: To target addresses this rule applies
209+
to. May contain IPs or dns names.
210+
items:
211+
type: string
212+
type: array
213+
required:
214+
- ports
215+
- protocol
216+
- to
217+
type: object
218+
type: array
219+
ingress:
220+
description: Ingress rules to be deployed initially on
221+
the firewall.
222+
items:
223+
properties:
224+
comment:
225+
description: Comment provides a human readable description
226+
of this rule.
227+
type: string
228+
from:
229+
description: From source addresses this rule applies
230+
to. May contain IPs or dns names.
231+
items:
232+
type: string
233+
type: array
234+
ports:
235+
description: Ports contains all affected network
236+
ports.
237+
items:
238+
format: int32
239+
type: integer
240+
type: array
241+
protocol:
242+
description: Protocol constraints the protocol this
243+
rule applies to.
244+
type: string
245+
required:
246+
- from
247+
- ports
248+
- protocol
249+
type: object
250+
type: array
251+
type: object
183252
internalPrefixes:
184253
description: |-
185254
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.

config/crds/firewall.metal-stack.io_firewalls.yaml

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -135,6 +135,71 @@ spec:
135135
Image is the os image of the firewall.
136136
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
137137
type: string
138+
initialRuleSet:
139+
description: InitialRuleSet is the initial firewall ruleset applied
140+
before the firewall-controller starts running.
141+
properties:
142+
egress:
143+
description: Egress rules to be deployed initially on the firewall.
144+
items:
145+
properties:
146+
comment:
147+
description: Comment provides a human readable description
148+
of this rule.
149+
type: string
150+
ports:
151+
description: Ports contains all affected network ports.
152+
items:
153+
format: int32
154+
type: integer
155+
type: array
156+
protocol:
157+
description: Protocol constraints the protocol this rule
158+
applies to.
159+
type: string
160+
to:
161+
description: To target addresses this rule applies to. May
162+
contain IPs or dns names.
163+
items:
164+
type: string
165+
type: array
166+
required:
167+
- ports
168+
- protocol
169+
- to
170+
type: object
171+
type: array
172+
ingress:
173+
description: Ingress rules to be deployed initially on the firewall.
174+
items:
175+
properties:
176+
comment:
177+
description: Comment provides a human readable description
178+
of this rule.
179+
type: string
180+
from:
181+
description: From source addresses this rule applies to.
182+
May contain IPs or dns names.
183+
items:
184+
type: string
185+
type: array
186+
ports:
187+
description: Ports contains all affected network ports.
188+
items:
189+
format: int32
190+
type: integer
191+
type: array
192+
protocol:
193+
description: Protocol constraints the protocol this rule
194+
applies to.
195+
type: string
196+
required:
197+
- from
198+
- ports
199+
- protocol
200+
type: object
201+
type: array
202+
type: object
138203
internalPrefixes:
139204
description: |-
140205
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.

config/crds/firewall.metal-stack.io_firewallsets.yaml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -172,6 +172,75 @@ spec:
172172
Image is the os image of the firewall.
173173
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
174174
type: string
175+
initialRuleSet:
176+
description: InitialRuleSet is the initial firewall ruleset
177+
applied before the firewall-controller starts running.
178+
properties:
179+
egress:
180+
description: Egress rules to be deployed initially on
181+
the firewall.
182+
items:
183+
properties:
184+
comment:
185+
description: Comment provides a human readable description
186+
of this rule.
187+
type: string
188+
ports:
189+
description: Ports contains all affected network
190+
ports.
191+
items:
192+
format: int32
193+
type: integer
194+
type: array
195+
protocol:
196+
description: Protocol constraints the protocol this
197+
rule applies to.
198+
type: string
199+
to:
200+
description: To target addresses this rule applies
201+
to. May contain IPs or dns names.
202+
items:
203+
type: string
204+
type: array
205+
required:
206+
- ports
207+
- protocol
208+
- to
209+
type: object
210+
type: array
211+
ingress:
212+
description: Ingress rules to be deployed initially on
213+
the firewall.
214+
items:
215+
properties:
216+
comment:
217+
description: Comment provides a human readable description
218+
of this rule.
219+
type: string
220+
from:
221+
description: From source addresses this rule applies
222+
to. May contain IPs or dns names.
223+
items:
224+
type: string
225+
type: array
226+
ports:
227+
description: Ports contains all affected network
228+
ports.
229+
items:
230+
format: int32
231+
type: integer
232+
type: array
233+
protocol:
234+
description: Protocol constraints the protocol this
235+
rule applies to.
236+
type: string
237+
required:
238+
- from
239+
- ports
240+
- protocol
241+
type: object
242+
type: array
243+
type: object
175244
internalPrefixes:
176245
description: |-
177246
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.

0 commit comments

Comments
 (0)