Skip to content

Commit

Permalink
Implement isolated cluster API (#361)
Browse files Browse the repository at this point in the history
  • Loading branch information
@vknabel
vknabel authored Jan 30, 2024
1 parent b7ba7df commit 5a1d023
Show file tree
Hide file tree
Showing 43 changed files with 3,752 additions and 420 deletions.
1 change: 1 addition & 0 deletions charts/gardener-extension-provider-metal/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ data:
firewallInternalPrefixes:
{{ toYaml .Values.config.firewallInternalPrefixes | indent 4 }}
{{- end }}
# FIXME remove
{{- if .Values.config.egressDestinations }}
egressDestinations:
{{ toYaml .Values.config.egressDestinations | indent 4 }}
Expand Down
1 change: 1 addition & 0 deletions charts/gardener-extension-provider-metal/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ config:
qps: 100
burst: 130
machineImages: []
# FIXME remove
egressDestinations: []
firewallInternalPrefixes: []
etcd:
Expand Down
20 changes: 20 additions & 0 deletions ...ll/templates/firewall-controller-manager/firewall.metal-stack.io_firewalldeployments.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,26 @@ spec:
spec:
description: Spec contains the firewall specification.
properties:
allowedNetworks:
description: AllowedNetworks defines dedicated networks for
which the firewall allows in- and outgoing traffic. The
firewall-controller only enforces this setting in combination
with NetworkAccessType set to forbidden. The node network
is always allowed.
properties:
egress:
description: Egress defines a list of cidrs which are
allowed for outgoing traffic.
items:
type: string
type: array
ingress:
description: Ingress defines a list of cidrs which are
allowed for incoming traffic like service type loadbalancer.
items:
type: string
type: array
type: object
controllerURL:
description: ControllerURL points to the downloadable binary
artifact of the firewall controller.
Expand Down
21 changes: 20 additions & 1 deletion ...rds-firewall/templates/firewall-controller-manager/firewall.metal-stack.io_firewalls.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ spec:
listKind: FirewallList
plural: firewalls
shortNames:
- fw2
- fw
singular: firewall
scope: Namespaced
versions:
Expand Down Expand Up @@ -66,6 +66,25 @@ spec:
spec:
description: Spec contains the firewall specification.
properties:
allowedNetworks:
description: AllowedNetworks defines dedicated networks for which
the firewall allows in- and outgoing traffic. The firewall-controller
only enforces this setting in combination with NetworkAccessType
set to forbidden. The node network is always allowed.
properties:
egress:
description: Egress defines a list of cidrs which are allowed
for outgoing traffic.
items:
type: string
type: array
ingress:
description: Ingress defines a list of cidrs which are allowed
for incoming traffic like service type loadbalancer.
items:
type: string
type: array
type: object
controllerURL:
description: ControllerURL points to the downloadable binary artifact
of the firewall controller.
Expand Down
20 changes: 20 additions & 0 deletions ...-firewall/templates/firewall-controller-manager/firewall.metal-stack.io_firewallsets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,26 @@ spec:
spec:
description: Spec contains the firewall specification.
properties:
allowedNetworks:
description: AllowedNetworks defines dedicated networks for
which the firewall allows in- and outgoing traffic. The
firewall-controller only enforces this setting in combination
with NetworkAccessType set to forbidden. The node network
is always allowed.
properties:
egress:
description: Egress defines a list of cidrs which are
allowed for outgoing traffic.
items:
type: string
type: array
ingress:
description: Ingress defines a list of cidrs which are
allowed for incoming traffic like service type loadbalancer.
items:
type: string
type: array
type: object
controllerURL:
description: ControllerURL points to the downloadable binary
artifact of the firewall controller.
Expand Down
32 changes: 21 additions & 11 deletions ...rds-firewall/templates/firewall-controller/metal-stack.io_clusterwidenetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: clusterwidenetworkpolicies.metal-stack.io
spec:
group: metal-stack.io
Expand All @@ -17,7 +16,14 @@ spec:
singular: clusterwidenetworkpolicy
scope: Namespaced
versions:
- name: v1
- additionalPrinterColumns:
- jsonPath: .status.state
name: Status
type: string
- jsonPath: .status.message
name: Message
type: string
name: v1
schema:
openAPIV3Schema:
description: ClusterwideNetworkPolicy contains the desired state for a cluster
Expand Down Expand Up @@ -100,19 +106,19 @@ spec:
matches at least one item in the to list. To rules can't contain
ToFQDNs rules.
items:
description: IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64")
description: IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64")
that is allowed to the pods matched by a NetworkPolicySpec's
podSelector. The except entry describes CIDRs that should
not be included within this rule.
properties:
cidr:
description: CIDR is a string representing the IP Block
Valid examples are "192.168.1.1/24" or "2001:db9::/64"
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
type: string
except:
description: Except is a slice of CIDRs that should not
be included within an IP Block Valid examples are "192.168.1.1/24"
or "2001:db9::/64" Except values will be rejected if
be included within an IP Block Valid examples are "192.168.1.0/24"
or "2001:db8::/64" Except values will be rejected if
they are outside the CIDR range
items:
type: string
Expand Down Expand Up @@ -163,19 +169,19 @@ spec:
rule allows traffic only if the traffic matches at least one
item in the from list.
items:
description: IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64")
description: IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64")
that is allowed to the pods matched by a NetworkPolicySpec's
podSelector. The except entry describes CIDRs that should
not be included within this rule.
properties:
cidr:
description: CIDR is a string representing the IP Block
Valid examples are "192.168.1.1/24" or "2001:db9::/64"
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
type: string
except:
description: Except is a slice of CIDRs that should not
be included within an IP Block Valid examples are "192.168.1.1/24"
or "2001:db9::/64" Except values will be rejected if
be included within an IP Block Valid examples are "192.168.1.0/24"
or "2001:db8::/64" Except values will be rejected if
they are outside the CIDR range
items:
type: string
Expand Down Expand Up @@ -252,6 +258,10 @@ spec:
description: FQDNState stores mapping from FQDN rules to nftables
sets used for a firewall rule. Key is either MatchName or MatchPattern
type: object
message:
type: string
state:
type: string
type: object
type: object
served: true
Expand Down
63 changes: 43 additions & 20 deletions charts/internal/shoot-control-plane/templates/network-policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@ metadata:
spec:
egress:
- to:
- cidr: 0.0.0.0/0
{{- range $dest := .Values.networkAccess.dnsCidrs }}
- cidr: {{ $dest }}
{{- end }}
ports:
- protocol: UDP
port: 53
Expand All @@ -22,11 +24,47 @@ metadata:
spec:
egress:
- to:
- cidr: 0.0.0.0/0
{{- range $dest := .Values.networkAccess.ntpCidrs }}
- cidr: {{ $dest }}
{{- end }}
ports:
- protocol: UDP
port: 123

---
apiVersion: metal-stack.io/v1
kind: ClusterwideNetworkPolicy
metadata:
name: allow-to-vpn
namespace: firewall
spec:
egress:
- ports:
- port: 4314
protocol: UDP
- port: 4314
protocol: TCP
to:
{{- range $i, $ip := .Values.apiserverIPs }}
- cidr: {{ $ip }}/32
{{- end }}
{{- if .Values.networkAccess.restrictedOrForbidden }}
---
apiVersion: metal-stack.io/v1
kind: ClusterwideNetworkPolicy
metadata:
name: allow-to-registry
namespace: firewall
spec:
egress:
{{- range $i, $reg := .Values.networkAccess.registryMirrors }}
- to:
- cidr: {{ quote $reg.cidr }}
ports:
- protocol: TCP
port: {{ $reg.port }}
{{- end }}
{{- end }}
# FIXME remove and replace with appropriate cwnp based on networkAccessType
{{- if .Values.restrictEgress.enabled }}
---
apiVersion: metal-stack.io/v1
Expand Down Expand Up @@ -70,7 +108,7 @@ spec:
{{- end }}

{{- else }}

{{- if not .Values.networkAccess.restrictedOrForbidden }}
---
apiVersion: metal-stack.io/v1
kind: ClusterwideNetworkPolicy
Expand All @@ -97,6 +135,7 @@ spec:
ports:
- protocol: TCP
port: 80
{{- end }}
{{- if gt (len .Values.apiserverIPs) 0 }}
---
apiVersion: metal-stack.io/v1
Expand All @@ -118,22 +157,6 @@ spec:
- protocol: TCP
port: 8132
{{- end }}
---
apiVersion: metal-stack.io/v1
kind: ClusterwideNetworkPolicy
metadata:
name: allow-to-vpn
namespace: firewall
spec:
egress:
- ports:
- port: 4314
protocol: UDP
- port: 4314
protocol: TCP
to:
- cidr: 0.0.0.0/0

{{- end }}

{{- if .Values.duros.enabled }}
Expand Down
10 changes: 10 additions & 0 deletions charts/internal/shoot-control-plane/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,16 @@ restrictEgress:
protocol: TCP
port: 443

networkAccess:
restrictedOrForbidden: false
dnsCidrs: ["0.0.0.0/0"]
ntpCidrs: ["0.0.0.0/0"]
registryMirrors:
- name: ""
endpoint: ""
cidr: "0.0.0.0/32"
port: 443

droptailer:
podAnnotations: {}
server:
Expand Down
Loading

0 comments on commit 5a1d023

Please sign in to comment.