feat(firewall): Add firewall configuration
This patch configures calico to help isolating the cluster from the rest of the world by implementing host firewall rules. This should close various ports that otherwise would be exposed to the outside world and posing a risk. It's important to note, that due to the usage of wireguard there are some additional ports that must be opened for the whole setup to function. If ports >40000 on UDP aren't open, the whole network will die, apparently. At least that's what experimenting with this feature has indicated. Reference: https://projectcalico.docs.tigera.io/security/kubernetes-nodes
Showing
- infrastructure/calico/felix-configuration.yaml 1 addition, 1 deletioninfrastructure/calico/felix-configuration.yaml
- infrastructure/firewall/controller-config.yaml 1 addition, 1 deletioninfrastructure/firewall/controller-config.yaml
- infrastructure/firewall/ingress-base.yaml 40 additions, 0 deletionsinfrastructure/firewall/ingress-base.yaml
- infrastructure/firewall/ingress-control-plane.yaml 37 additions, 0 deletionsinfrastructure/firewall/ingress-control-plane.yaml
- infrastructure/firewall/ingress-metallb.yaml 28 additions, 0 deletionsinfrastructure/firewall/ingress-metallb.yaml
- infrastructure/firewall/ingress-monitoring.yaml 17 additions, 0 deletionsinfrastructure/firewall/ingress-monitoring.yaml
- infrastructure/firewall/ingress-worker.yaml 29 additions, 0 deletionsinfrastructure/firewall/ingress-worker.yaml
- infrastructure/firewall/kustomization.yaml 5 additions, 0 deletionsinfrastructure/firewall/kustomization.yaml
infrastructure/firewall/ingress-base.yaml
0 → 100644
infrastructure/firewall/ingress-metallb.yaml
0 → 100644
infrastructure/firewall/ingress-worker.yaml
0 → 100644
Please register or sign in to comment