feat(firewall): use collection nofusscomputing.firewall to configure kubernetes firewall

!46
2024-03-16 23:05:01 +09:30
parent 74187c7023
commit 4af31ff3ac
10 changed files with 121 additions and 23 deletions
--- a/roles/nfc_kubernetes/vars/firewall_rules.yaml
+++ b/roles/nfc_kubernetes/vars/firewall_rules.yaml
@ -0,0 +1,90 @@
+---
+
+kubernetes_chains:
+
+  - name: kubernetes-embedded-etcd
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port:
+        - '2379'
+        - '2380'
+    comment: etcd. Servers only
+    when: "{{ nfc_role_kubernetes_etcd_enabled }}"
+
+  - name: kubernetes-api
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port: '6443'
+    comment: Kubernetes API access. All Cluster hosts and end users
+
+  - name: kubernetes-calico-bgp
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port: '179'
+    comment: Kubernetes Calico BGP. All Cluster hosts and end users
+    when: false    # currently hard set to false. see Installation-manifest-Calico_Cluster.yaml.j2
+
+  - name: kubernetes-flannel-vxlan
+    chain: true
+    table: INPUT
+    protocol: udp
+    dest:
+      port: '4789'
+    comment: Flannel. All cluster hosts
+
+  - name: kubernetes-kubelet-metrics
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port: '10250'
+    comment: Kubernetes Metrics. All cluster hosts
+
+  - name: kubernetes-flannel-wg-four
+    chain: true
+    table: INPUT
+    protocol: udp
+    dest:
+      port: '51820'
+    comment: Flannel Wiregaurd IPv4. All cluster hosts
+
+  - name: kubernetes-flannel-wg-six
+    chain: true
+    table: INPUT
+    protocol: udp
+    dest:
+      port: '51821'
+    comment: Flannel Wiregaurd IPv6. All cluster hosts
+    when: false    # ipv6 is disabled. see install.yaml sysctrl
+
+  - name: kubernetes-calico-typha
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port: '5473'
+    comment: Calico networking with Typha enabled. Typha agent hosts.
+
+  - name: metallb-l2-tcp
+    chain: true
+    table: INPUT
+    protocol: tcp
+    dest:
+      port: '7946'
+    comment: MetalLB Gossip
+    when: "{{ nfc_kubernetes_enable_metallb }}"
+
+  - name: metallb-l2-udp
+    chain: true
+    table: INPUT
+    protocol: udp
+    dest:
+      port: '7946'
+    comment: MetalLB Gossip
+    when: "{{ nfc_kubernetes_enable_metallb }}"