ansible-collections/kubernetes
2
0
Fork 0
Code Issues 8 Pull Requests 1 Actions Projects Releases 28 Wiki Activity

fix(firewall): correct rules so that kubernetes hosts are added to firewall allowed hosts

Browse Source 
!5 #2
This commit is contained in:
Jon Lockwood
2023-11-02 15:20:12 +09:30
parent c7907bf585
commit ba59dd3057
2 changed files with 83 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
defaults/main.yml
View File

@ -37,30 +37,6 @@ nfc_kubernetes:
k3s: k3s:
files: files:
# - name: config.yaml
# path: /etc/rancher/k3s
# content: |
# flannel-backend: none
# cluster-cidr: "{{ KubernetesPodSubnet }}"
# cluster-init: true
# {% if not Kubernetes_Prime | default(false) | bool -%}server: https://{{ hostvars[kubernetes_config.cluster.prime.name].ansible_host }}:6443{% endif %}
# service-cidr: "{{ KubernetesServiceSubnet }}"
# disable-network-policy: true
# disable:
# - traefik
# kube-apiserver-arg:
# - audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log
# - audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml
# # - admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml
# {% if kubernetes_oidc.enabled | default(false) | bool -%}
# - oidc-issuer-url={{ kubernetes_oidc.issuer_url }}
# - oidc-client-id={{ kubernetes_oidc.client_id }}
# - oidc-username-claim={{ kubernetes_oidc.username_claim }}
# - {% if kubernetes_oidc.oidc_username_prefix | default('') != '' %}oidc-username-prefix={{ kubernetes_oidc.oidc_username_prefix }}{% endif %}
# - oidc-groups-claim={{ kubernetes_oidc.groups_claim }}
# {% if kubernetes_oidc.groups_prefix | default('') != '' %}- oidc-groups-prefix={{ kubernetes_oidc.groups_prefix }}{% endif %}
# {% endif %}
# node-external-ip: "{{ host_external_ip }}"
- name: audit.yaml - name: audit.yaml
path: /var/lib/rancher/k3s/server path: /var/lib/rancher/k3s/server
@ -104,7 +80,6 @@ k3s:
when: "{{ kubernetes_config.cluster.prime.name == inventory_hostname }}" when: "{{ kubernetes_config.cluster.prime.name == inventory_hostname }}"
############################################################################################# #############################################################################################
# Cluster Config when stored in Inventory # Cluster Config when stored in Inventory
# #
@ -118,6 +93,7 @@ k3s:
# - '2001:4860:4860::8888' # - '2001:4860:4860::8888'
# - '192.168.1.1' # - '192.168.1.1'
# Name: earth # Mandatory, String. Cluster Name # Name: earth # Mandatory, String. Cluster Name
# group_name: # Mandatory, String. name of the ansible inventory group containg all cluster hosts
# prime: # prime:
# name: k3s-prod # Mandatory, String. Ansible inventory_host that will # name: k3s-prod # Mandatory, String. Ansible inventory_host that will
# # act as the prime master node. # # act as the prime master node.

137
templates/iptables-kubernetes.rules.j2
View File

@ -31,8 +31,9 @@
{%- endif -%} {%- endif -%}
{%- for kubernetes_host in groups[kubernetes_type] -%} {%- for kubernetes_host in groups[kubernetes_config.cluster.group_name] -%}
{%- set kubernetes_host = hostvars[kubernetes_host].ansible_host -%}
{%- if kubernetes_host is regex('^[a-z]') and ':' not in kubernetes_host -%} {#- Convert DNs name to IP Address -#} {%- if kubernetes_host is regex('^[a-z]') and ':' not in kubernetes_host -%} {#- Convert DNs name to IP Address -#}
@ -46,7 +47,11 @@
{%- endif -%} {%- endif -%}
{%- if kubernetes_host | list | length > 0 -%} {#- Convert dns lookup to list, and select the first item -#} {%- if
kubernetes_host is iterable
and
kubernetes_host is not string
-%} {#- Convert dns lookup to list, and select the first item -#}
{%- set kubernetes_host = kubernetes_host | from_yaml_all | list -%} {%- set kubernetes_host = kubernetes_host | from_yaml_all | list -%}
{%- set kubernetes_host = kubernetes_host[0] -%} {%- set kubernetes_host = kubernetes_host[0] -%}
@ -57,29 +62,32 @@
{%- for master_host in groups['kubernetes_master'] -%} {%- for master_host in groups['kubernetes_master'] -%}
{%- if master_host in groups[kubernetes_config.cluster.group_name] -%}
{%- if master_host is regex('^[a-z]') and ':' not in master_host -%} {#- Convert DNs name to IP Address -#} {%- set master_host = hostvars[master_host].ansible_host -%}
{%- if ipv6 | default(false) -%} {%- if master_host is regex('^[a-z]') and ':' not in master_host -%} {#- Convert DNs name to IP Address -#}
{%- set master_host = query('community.dns.lookup', master_host + '.', type='AAAA' ) -%} {%- if ipv6 | default(false) -%}
{%- else -%} {%- set master_host = query('community.dns.lookup', master_host + '.', type='AAAA' ) -%}
{%- set master_host = query('community.dns.lookup', master_host + '.', type='A' ) -%} {%- else -%}
{%- set master_host = query('community.dns.lookup', master_host + '.', type='A' ) -%}
{%- endif -%}
{%- if master_host | list | length > 0 -%} {#- Convert dns lookup to list, and select the first item -#}
{%- set master_host = master_host | from_yaml_all | list -%}
{%- set master_host = master_host[0] -%}
{%- endif -%}
{%- endif -%} {%- endif -%}
{%- if master_host | list | length > 0 -%} {#- Convert dns lookup to list, and select the first item -#}
{%- set master_host = master_host | from_yaml_all | list -%}
{%- set master_host = master_host[0] -%} {%- if Kubernetes_Master | default(false) | bool -%}
{%- endif -%}
{%- endif -%}
{%- if Kubernetes_Master | default(false) | bool -%}
{%- if {%- if
master_host == kubernetes_host master_host == kubernetes_host
@ -103,12 +111,14 @@
{#- master hosts only -#} {#- master hosts only -#}
{%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-embedded-etcd -s ' + master_host + ' -j ACCEPT'] -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-embedded-etcd -s ' + master_host + ' -j ACCEPT'] -%}
{# {%- set data.firewall_rules = data.firewall_rules + ['-I INPUT -s ' + master_host + ' -p tcp -m multiport --dports 2380 -j ACCEPT'] -%} #} {# {%- set data.firewall_rules = data.firewall_rules + ['-I INPUT -s ' + master_host + ' -p tcp -m multiport --dports 2380 -j ACCEPT'] -%} #}
{%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-api -s ' + master_host + ' -j ACCEPT'] -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-api -s ' + master_host + ' -j ACCEPT'] -%}
{%- endif -%} {%- endif -%}
{%- endif -%}
{%- endif -%} {%- endif -%}
{%- endfor -%} {%- endfor -%}
@ -133,65 +143,80 @@
{#- All cluster Hosts -#} {#- All cluster Hosts -#}
{%- if Kubernetes_Master | default(false) | bool -%}
{%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-api -s ' + kubernetes_host + ' -j ACCEPT'] -%}
{%- endif -%}
{%- set data.firewall_rules = data.firewall_rules + ['-I kubelet-metrics -s ' + kubernetes_host + ' -j ACCEPT'] -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubelet-metrics -s ' + kubernetes_host + ' -j ACCEPT'] -%}
{%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-flannel-wg-four -s ' + kubernetes_host + ' -j ACCEPT'] -%}
{%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-flannel-wg-six -s ' + kubernetes_host + ' -j ACCEPT'] -%}
{%- endif -%} {%- endif -%}
{%- endfor -%} {%- endfor -%}
{%- if Kubernetes_Master | default(false) | bool -%}
{%- for api_client in kubernetes_config.cluster.access | default([]) -%} {%- for api_client in kubernetes_config.cluster.access | default([]) -%}
{%- if api_client is regex('^[a-z]') and ':' not in api_client -%} {#- Convert DNs name to IP Address -#} {%- if api_client is regex('^[a-z]') and ':' not in api_client -%} {#- Convert DNs name to IP Address -#}
{%- set api_client_dns_name = api_client -%} {%- set api_client_dns_name = api_client -%}
{%- if ipv6 | default(false) -%} {%- if ipv6 | default(false) -%}
{%- set api_client = query('community.dns.lookup', api_client + '.', type='AAAA' ) -%} {%- set api_client = query('community.dns.lookup', api_client + '.', type='AAAA' ) -%}
{%- else -%} {%- else -%}
{%- set api_client = query('community.dns.lookup', api_client + '.', type='A' ) -%} {%- set api_client = query('community.dns.lookup', api_client + '.', type='A' ) -%}
{%- endif -%}
{%- if api_client | list | length > 0 -%} {#- Convert dns lookup to list, and select the first item -#}
{%- set api_client = api_client | from_yaml_all | list -%}
{%- set api_client = api_client[0] -%}
{%- endif -%}
{%- endif -%} {%- endif -%}
{%- if api_client | list | length > 0 -%} {#- Convert dns lookup to list, and select the first item -#}
{%- set api_client = api_client | from_yaml_all | list -%} {%- if
api_client != ansible_host
and
(
(
ipv6 | default(false)
and
':' in api_client
)
or
(
not ipv6 | default(false)
and
'.' in api_client
)
)
-%}
{%- set api_client = api_client[0] -%} {#- Hosts allowed to access API -#}
{%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-api -s ' + api_client + ' -m comment --comment "host: ' + api_client_dns_name | default(api_client) + '" -j ACCEPT'] -%}
{%- endif -%} {%- endif -%}
{%- endif -%} {%- endfor %}
{%- endif %}
{%- if
api_client != ansible_host
and
(
(
ipv6 | default(false)
and
':' in api_client
)
or
(
not ipv6 | default(false)
and
'.' in api_client
)
)
-%}
{#- Hosts allowed to access API -#}
{%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-api -s ' + api_client + ' -m comment --comment "host: ' + api_client_dns_name | default(api_client) + '" -j ACCEPT'] -%}
{%- endif -%}
{%- endfor %}
*filter *filter