feat(firewall): Add firewall configuration

This patch configures calico to help isolating the cluster from the rest of the world by implementing host firewall rules. This should close various ports that otherwise would be exposed to the outside world and posing a risk. It's important to note, that due to the usage of wireguard there are some additional ports that must be opened for the whole setup to function. If ports >40000 on UDP aren't open, the whole network will die, apparently. At least that's what experimenting with this feature has indicated. Reference: https://projectcalico.docs.tigera.io/security/kubernetes-nodes

feat(firewall): Add firewall configuration
1112a590 · Sheogorath · 8a519732 · 1112a590 · 1112a590 · 1112a590
Verified Commit 1112a590 authored 3 years ago by Sheogorath
--- a/infrastructure/calico/felix-configuration.yaml
+++ b/infrastructure/calico/felix-configuration.yaml
-apiVersion: crd.projectcalico.org/v1
+apiVersion: projectcalico.org/v3
 kind: FelixConfiguration
 metadata:
  name: default

--- a/infrastructure/firewall/controller-config.yaml
+++ b/infrastructure/firewall/controller-config.yaml
-apiVersion: crd.projectcalico.org/v1
+apiVersion: projectcalico.org/v3
 kind: KubeControllersConfiguration
 metadata:
  annotations:

--- a/infrastructure/firewall/ingress-base.yaml
+++ b/infrastructure/firewall/ingress-base.yaml
+---
+apiVersion: projectcalico.org/v3
+kind: GlobalNetworkPolicy
+metadata:
+  name: ingress-k8s-base
+spec:
+  selector: has(node-role.kubernetes.io/control-plane) || has(node-role.kubernetes.io/worker)
+  ingress:
+  # Allow ICMP from everywhere
+  - action: Allow
+    protocol: ICMP
+  # Allow SSH from everywhere
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+      - 22
+  # Allow DHCP from everywhere
+  - action: Allow
+    protocol: UDP
+    destination:
+      ports:
+        - 68
+  # Allow bird and typha for calico from all cluster nodes
+  - action: Allow
+    protocol: TCP
+    source:
+      selector: has(node-role.kubernetes.io/control-plane) || has(node-role.kubernetes.io/worker)
+    destination:
+      ports:
+        - 179
+        - 5473
+  - action: Allow
+    protocol: UDP
+    source:
+      selector: has(node-role.kubernetes.io/control-plane) || has(node-role.kubernetes.io/worker)
+    destination:
+      ports:
+        - 4789
+        - 40000:65534
--- a/infrastructure/firewall/ingress-control-plane.yaml
+++ b/infrastructure/firewall/ingress-control-plane.yaml
+---
+apiVersion: projectcalico.org/v3
+kind: GlobalNetworkPolicy
+metadata:
+  name: ingress-k8s-control-plane
+spec:
+  selector: has(node-role.kubernetes.io/control-plane)
+  # Control plane ports
+  # https://kubernetes.io/docs/reference/ports-and-protocols/
+  ingress:
+  # Allow localhost access
+  - action: Allow
+    destination:
+      nets:
+      - 127.0.0.0/8
+  # Allow Kube API access from everywhere
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+      - 6443
+  # Allow Kubelet and etcd access from control-plane nodes
+  - action: Allow
+    protocol: TCP
+    source:
+      selector: has(node-role.kubernetes.io/control-plane)
+    destination:
+      ports:
+      - 2379
+      - 2380
+      - 10250
+  # Allow NodePorts
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+        - 30000:32767
--- a/infrastructure/firewall/ingress-metallb.yaml
+++ b/infrastructure/firewall/ingress-metallb.yaml
+---
+apiVersion: projectcalico.org/v3
+kind: GlobalNetworkPolicy
+metadata:
+  name: ingress-k8s-metallb
+spec:
+  selector: has(node-role.kubernetes.io/control-plane) || has(node-role.kubernetes.io/worker)
+  ingress:
+  # Allow access for metallb speaker
+  - action: Allow
+    protocol: TCP
+    source:
+      selector: has(node-role.kubernetes.io/control-plane) || has(node-role.kubernetes.io/worker)
+    destination:
+      ports:
+      # metallb-membership port
+      - 7946
+      # metallb-metrics port
+      - 7472
+  # Allow access for metallb speaker
+  - action: Allow
+    protocol: UDP
+    source:
+      selector: has(node-role.kubernetes.io/control-plane) || has(node-role.kubernetes.io/worker)
+    destination:
+      ports:
+      # metallb-membership port
+      - 7946
--- a/infrastructure/firewall/ingress-monitoring.yaml
+++ b/infrastructure/firewall/ingress-monitoring.yaml
+---
+apiVersion: projectcalico.org/v3
+kind: GlobalNetworkPolicy
+metadata:
+  name: ingress-k8s-monitoring
+spec:
+  selector: has(node-role.kubernetes.io/control-plane) || has(node-role.kubernetes.io/worker)
+  ingress:
+  # Allow access for metallb speaker
+  - action: Allow
+    protocol: TCP
+    source:
+      selector: has(node-role.kubernetes.io/control-plane) || has(node-role.kubernetes.io/worker)
+    destination:
+      ports:
+      # node-exporter
+      - 9100
--- a/infrastructure/firewall/ingress-worker.yaml
+++ b/infrastructure/firewall/ingress-worker.yaml
+---
+apiVersion: projectcalico.org/v3
+kind: GlobalNetworkPolicy
+metadata:
+  name: ingress-k8s-worker
+spec:
+  selector: has(node-role.kubernetes.io/worker)
+  # Control plane ports
+  # https://kubernetes.io/docs/reference/ports-and-protocols/
+  ingress:
+  # Allow localhost access
+  - action: Allow
+    destination:
+      nets:
+      - 127.0.0.0/8
+  # Allow kublet access from control-plane nodes
+  - action: Allow
+    protocol: TCP
+    source:
+      selector: has(node-role.kubernetes.io/control-plane)
+    destination:
+      ports:
+      - 10250
+  # Allow NodePorts
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+        - 30000:32767
--- a/infrastructure/firewall/kustomization.yaml
+++ b/infrastructure/firewall/kustomization.yaml
@@ -3,3 +3,8 @@ kind: Kustomization
 namespace: default
 resources:
  - controller-config.yaml
+  - ingress-base.yaml
+  - ingress-control-plane.yaml
+  - ingress-worker.yaml
+  - ingress-metallb.yaml
+  - ingress-monitoring.yaml