# # IP Tables Firewall Rules for Kubernetes # # Managed By ansible/role/nfc_kubernetes # # Dont edit this file directly as it will be overwritten. To grant a host API access # edit the cluster config, adding the hostname/ip to path kubernetes_config.cluster.access # # This file is periodicly called by cron # {% set data = namespace(firewall_rules=[]) -%} {%- if ansible_host is regex('^[a-z]') and ':' not in ansible_host -%} {#- Convert DNs name to IP Address -#} {%- if ipv6 | default(false) -%} {%- set ansible_host = query('community.dns.lookup', ansible_host + '.', type='AAAA' ) -%} {%- else -%} {%- set ansible_host = query('community.dns.lookup', ansible_host + '.', type='A' ) -%} {%- endif -%} {%- if ansible_host | list | length > 0 -%} {#- Convert dns lookup to list, and select the first item -#} {%- set ansible_host = ansible_host | from_yaml_all | list -%} {%- set ansible_host = ansible_host[0] -%} {%- endif -%} {%- endif -%} {%- for kubernetes_host in groups[kubernetes_config.cluster.group_name | default('me_is_optional')] | default([]) -%} {%- set kubernetes_host = hostvars[kubernetes_host].ansible_host -%} {%- if kubernetes_host is regex('^[a-z]') and ':' not in kubernetes_host -%} {#- Convert DNs name to IP Address -#} {%- if ipv6 | default(false) -%} {%- set kubernetes_host = query('community.dns.lookup', kubernetes_host + '.', type='AAAA' ) -%} {%- else -%} {%- set kubernetes_host = query('community.dns.lookup', kubernetes_host + '.', type='A' ) -%} {%- endif -%} {%- if kubernetes_host is iterable and kubernetes_host is not string -%} {#- Convert dns lookup to list, and select the first item -#} {%- set kubernetes_host = kubernetes_host | from_yaml_all | list -%} {%- set kubernetes_host = kubernetes_host[0] | default('') -%} {%- endif -%} {%- endif -%} {%- if kubernetes_host != '' -%} {%- for master_host in groups['kubernetes_master'] -%} {%- if master_host in groups[kubernetes_config.cluster.group_name | default('me_is_optional')] | default([]) -%} {%- set master_host = hostvars[master_host].ansible_host -%} {%- if master_host is regex('^[a-z]') and ':' not in master_host -%} {#- Convert DNs name to IP Address -#} {%- if ipv6 | default(false) -%} {%- set master_host = query('community.dns.lookup', master_host + '.', type='AAAA' ) -%} {%- else -%} {%- set master_host = query('community.dns.lookup', master_host + '.', type='A' ) -%} {%- endif -%} {%- if master_host | list | length > 0 -%} {#- Convert dns lookup to list, and select the first item -#} {%- set master_host = master_host | from_yaml_all | list -%} {%- set master_host = master_host[0] -%} {%- endif -%} {%- endif -%} {%- if nfc_role_kubernetes_master | default(false) | bool -%} {%- if master_host == kubernetes_host and master_host != ansible_host and ( ( ipv6 | default(false) and ':' in master_host ) or ( not ipv6 | default(false) and '.' in master_host ) ) -%} {#- master hosts only -#} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-embedded-etcd -s ' + master_host + ' -j ACCEPT'] -%} {# {%- set data.firewall_rules = data.firewall_rules + ['-I INPUT -s ' + master_host + ' -p tcp -m multiport --dports 2380 -j ACCEPT'] -%} #} {%- if '-I kubernetes-api -s ' + master_host + ' -j ACCEPT' not in data.firewall_rules -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-api -s ' + master_host + ' -j ACCEPT'] -%} {%- endif -%} {%- endif -%} {%- endif -%} {%- endif -%} {%- endfor -%} {%- if ansible_host != kubernetes_host and ( ( ipv6 | default(false) and ':' in kubernetes_host ) or ( not ipv6 | default(false) and '.' in kubernetes_host ) ) -%} {#- All cluster Hosts -#} {%- if nfc_role_kubernetes_master | default(false) | bool -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-api -s ' + kubernetes_host + ' -j ACCEPT'] -%} {%- endif -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-flannel-vxlan -s ' + kubernetes_host + ' -j ACCEPT'] -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-kubelet-metrics -s ' + kubernetes_host + ' -j ACCEPT'] -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-flannel-wg-four -s ' + kubernetes_host + ' -j ACCEPT'] -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-flannel-wg-six -s ' + kubernetes_host + ' -j ACCEPT'] -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-calico-bgp -s ' + kubernetes_host + ' -j ACCEPT'] -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-calico-typha -s ' + kubernetes_host + ' -j ACCEPT'] -%} {%- if nfc_kubernetes_enable_metallb | default(false) -%} {%- set data.firewall_rules = data.firewall_rules + ['-I metallb-l2-tcp -s ' + kubernetes_host + ' -j ACCEPT'] -%} {%- set data.firewall_rules = data.firewall_rules + ['-I metallb-l2-udp -s ' + kubernetes_host + ' -j ACCEPT'] -%} {%- endif -%} {%- endif -%} {%- endif -%} {%- endfor -%} {%- if nfc_role_kubernetes_master | default(false) | bool -%} {%- if host_external_ip is defined -%} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-api -s ' + host_external_ip + ' -m comment --comment "hosts configured external IP" -j ACCEPT'] -%} {%- endif -%} {%- for api_client in kubernetes_config.cluster.access | default([]) -%} {%- if api_client is regex('^[a-z]') and ':' not in api_client -%} {#- Convert DNs name to IP Address -#} {%- set api_client_dns_name = api_client -%} {%- if ipv6 | default(false) -%} {%- set api_client = query('community.dns.lookup', api_client + '.', type='AAAA' ) -%} {%- else -%} {%- set api_client = query('community.dns.lookup', api_client + '.', type='A' ) -%} {%- endif -%} {%- if api_client | list | length > 0 -%} {#- Convert dns lookup to list, and select the first item -#} {%- set api_client = api_client | from_yaml_all | list -%} {%- set api_client = api_client[0] -%} {%- endif -%} {%- endif -%} {%- if api_client != ansible_host and ( ( ipv6 | default(false) and ':' in api_client ) or ( not ipv6 | default(false) and '.' in api_client ) ) -%} {#- Hosts allowed to access API -#} {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-api -s ' + api_client + ' -m comment --comment "host: ' + api_client_dns_name | default(api_client) + '" -j ACCEPT'] -%} {%- endif -%} {%- endfor %} {%- endif %} *filter {# -N kubernetes-embedded-etcd -A kubernetes-embedded-etcd -j RETURN -A INPUT -p tcp -m multiport --dports 2379,2380 -m comment --comment "etcd. Servers only" -j kubernetes-embedded-etcd -N kubernetes-api -A kubernetes-api -j RETURN -A INPUT -p tcp --dport 6443 -m comment --comment "Kubernetes API access. All Cluster hosts and end users" -j kubernetes-api -N kubernetes-flannel-vxlan -A kubernetes-flannel-vxlan -j RETURN -A INPUT -p udp --dport 8472 -m comment --comment "Flannel. All cluster hosts" -j kubernetes-flannel-vxlan -N kubernetes-kubelet-metrics -A kubernetes-kubelet-metrics -j RETURN -A INPUT -p tcp --dport 10250 -m comment --comment "Kubernetes Metrics. All cluster hosts" -j kubernetes-kubelet-metrics -N kubernetes-flannel-wg-four -A kubernetes-flannel-wg-four -j RETURN -A INPUT -p udp --dport 51820 -m comment --comment "Flannel Wiregaurd IPv4. All cluster hosts" -j kubernetes-flannel-wg-four -N kubernetes-flannel-wg-six -A kubernetes-flannel-wg-six -j RETURN -A INPUT -p udp --dport 51821 -m comment --comment "Flannel Wiregaurd IPv6. All cluster hosts" -j kubernetes-flannel-wg-six #} {% if data.firewall_rules | length | int > 0 -%} {% for rule in data.firewall_rules -%} {{ rule }} {% endfor -%} {% endif -%} {#- #-I INPUT -s 192.168.1.0/24 -p tcp -m multiport --dports 6443 -j ACCEPT #-I INPUT -s 192.168.1.0/24 -p tcp -m multiport --dports 179 -j ACCEPT #-I INPUT -s 192.168.1.0/24 -p tcp -m multiport --dports 10250 -j ACCEPT #-I INPUT -s 192.168.1.0/24 -p udp -m multiport --dports 4789 -j ACCEPT #-I INPUT -s 192.168.1.0/24 -p tcp -m multiport --dports 2379 -j ACCEPT #-I INPUT -s 192.168.1.0/24 -p tcp -m multiport --dports 2380 -j ACCEPT -I INPUT -p tcp -m multiport --dports 6443 -j ACCEPT -I INPUT -p tcp -m multiport --dports 179 -j ACCEPT -I INPUT -p tcp -m multiport --dports 10250 -j ACCEPT -I INPUT -p udp -m multiport --dports 4789 -j ACCEPT -I INPUT -p tcp -m multiport --dports 2379 -j ACCEPT -I INPUT -p tcp -m multiport --dports 2380 -j ACCEPT #} COMMIT {# iptables -I kubernetes-api -s nww-au1.networkedweb.com -j ACCEPT #}