feat(firewall): use collection nofusscomputing.firewall to configure kubernetes firewall

!46
2024-03-16 23:05:01 +09:30
parent 74187c7023
commit 4af31ff3ac
10 changed files with 121 additions and 23 deletions
--- a/roles/nfc_kubernetes/defaults/main.yml
+++ b/roles/nfc_kubernetes/defaults/main.yml
@ -34,6 +34,8 @@ nfc_role_kubernetes_container_images:

 nfc_role_kubernetes_cluster_domain: cluster.local

+nfc_role_kubernetes_configure_firewall: true
+
 nfc_role_kubernetes_etcd_enabled: false

 nfc_role_kubernetes_install_olm: false
--- a/roles/nfc_kubernetes/tasks/install.yaml
+++ b/roles/nfc_kubernetes/tasks/install.yaml
@ -21,28 +21,18 @@
    nfc_kubernetes_install_architectures: "{{ nfc_kubernetes_install_architectures | default({}) | combine({ansible_architecture: ''}) }}"


- name: Firewall Rules
+- name: Configure Kubernetes Firewall Rules
  ansible.builtin.include_role:
-    name: nfc_firewall
+    name: nofusscomputing.firewall.nfc_firewall
  vars:
-    nfc_firewall_enabled_kubernetes: "{{ nfc_kubernetes.enable_firewall | default(false) | bool }}"
+    nfc_role_firewall_firewall_type: iptables
+    nfc_role_firewall_additional_rules: "{{ ( lookup('template', 'vars/firewall_rules.yaml') | from_yaml ).kubernetes_chains }}"
  tags:
-    - never
-    - install
+    - always
+  when: >
+    nfc_role_kubernetes_configure_firewall


-# fix, reload firewall `iptables-reloader`
- name: Reload iptables
-  ansible.builtin.command:
-    cmd: bash -c /usr/bin/iptables-reloader
-  changed_when: false
-  tags:
-    - never
-    - install
-
-
-# kubernetes_installed
-
 - name: K3s Install
  ansible.builtin.include_tasks:
    file: k3s/install.yaml
--- a/roles/nfc_kubernetes/tasks/k3s/configure.yaml
+++ b/roles/nfc_kubernetes/tasks/k3s/configure.yaml
@ -14,7 +14,7 @@

 - name: Check if FW dir exists
  ansible.builtin.stat:
-    name: /etc/iptables.rules.d
+    name: /etc/iptables-reloader/rules.d
  register: firewall_rules_dir_metadata


@ -37,10 +37,10 @@
        when: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname }}"

      - src: iptables-kubernetes.rules.j2
-        dest: "/etc/iptables.rules.d/iptables-kubernetes.rules"
+        dest: "/etc/iptables-reloader/rules.d/iptables-kubernetes.rules"
        notify: firewall_reloader
        when: |-
-          {%- if nfc_kubernetes.enable_firewall -%}
+          {%- if firewall_installed -%}

            {{ firewall_rules_dir_metadata.stat.exists }}

--- a/roles/nfc_kubernetes/templates/iptables-kubernetes.rules.j2
+++ b/roles/nfc_kubernetes/templates/iptables-kubernetes.rules.j2
@ -1,7 +1,7 @@
 #
 # IP Tables Firewall Rules for Kubernetes
 # 
-# Managed By ansible/role/nfc_kubernetes
+# Managed By ansible/collection/kubernetes
 #
 # Dont edit this file directly as it will be overwritten. To grant a host API access
 # edit the cluster config, adding the hostname/ip to path kubernetes_config.cluster.access
--- a/roles/nfc_kubernetes/vars/firewall_rules.yaml
+++ b/roles/nfc_kubernetes/vars/firewall_rules.yaml
@ -0,0 +1,90 @@
+---
+
+kubernetes_chains:
+
+  - name: kubernetes-embedded-etcd
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port:
+        - '2379'
+        - '2380'
+    comment: etcd. Servers only
+    when: "{{ nfc_role_kubernetes_etcd_enabled }}"
+
+  - name: kubernetes-api
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port: '6443'
+    comment: Kubernetes API access. All Cluster hosts and end users
+
+  - name: kubernetes-calico-bgp
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port: '179'
+    comment: Kubernetes Calico BGP. All Cluster hosts and end users
+    when: false    # currently hard set to false. see Installation-manifest-Calico_Cluster.yaml.j2
+
+  - name: kubernetes-flannel-vxlan
+    chain: true
+    table: INPUT
+    protocol: udp
+    dest:
+      port: '4789'
+    comment: Flannel. All cluster hosts
+
+  - name: kubernetes-kubelet-metrics
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port: '10250'
+    comment: Kubernetes Metrics. All cluster hosts
+
+  - name: kubernetes-flannel-wg-four
+    chain: true
+    table: INPUT
+    protocol: udp
+    dest:
+      port: '51820'
+    comment: Flannel Wiregaurd IPv4. All cluster hosts
+
+  - name: kubernetes-flannel-wg-six
+    chain: true
+    table: INPUT
+    protocol: udp
+    dest:
+      port: '51821'
+    comment: Flannel Wiregaurd IPv6. All cluster hosts
+    when: false    # ipv6 is disabled. see install.yaml sysctrl
+
+  - name: kubernetes-calico-typha
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port: '5473'
+    comment: Calico networking with Typha enabled. Typha agent hosts.
+
+  - name: metallb-l2-tcp
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port: '7946'
+    comment: MetalLB Gossip
+    when: "{{ nfc_kubernetes_enable_metallb }}"
+
+  - name: metallb-l2-udp
+    chain: true
+    table: INPUT
+    protocol: udp
+    dest:
+      port: '7946'
+    comment: MetalLB Gossip
+    when: "{{ nfc_kubernetes_enable_metallb }}"