firewall-policy-controller

command module
v0.1.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2020 License: AGPL-3.0 Imports: 15 Imported by: 0

README

Firewall-Policy-Controller

This is a small controller to generate nftables rules based on network policies and services.

Current scope for the implementation

  • the firewall is not part of the kubernetes cluster => is not visible as node and gets no pods scheduled on it
  • it gets access to the kube-api server with a kubeconfig that gets injected via ignition user data
  • it watches for NetworkPolicy objects in the default namespace and Service objects in all namespaces and assembles ingress / egress firewall rules for them
    • NetworkPolicy need an empty podSelector
    • Service objects of type LoadBalancer and NodePort need the loadBalancerSourceRanges attribute
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np-egress-dns
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 1.0.0.1/32
    ports:
    - protocol: UDP
      port: 53


apiVersion: v1
kind: Service
metadata:
  name: s1
  namespace: test-ns
spec:
  type: LoadBalancer
  loadBalancerIP: 212.37.83.1
  loadBalancerSourceRanges:
  - 192.168.0.0/24
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 8063

Testing locally

make
./bin/firewall-policy-controller -k kubeconfig
kubectl --kubeconfig kubeconfig apply --recursive -f pkg/controller/test_data/case1/
kubectl --kubeconfig kubeconfig delete --recursive -f pkg/controller/test_data/case1/

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
pkg
controller
droptailer
watcher

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.