Skip to content

Instantly share code, notes, and snippets.

@knisbet

knisbet/README.md

Last active June 26, 2023 11:02
Show Gist options
  • Save knisbet/ab0163988cd83abb4e98cadd4219754e to your computer and use it in GitHub Desktop.
Save knisbet/ab0163988cd83abb4e98cadd4219754e to your computer and use it in GitHub Desktop.
Download ZIP
gravity-firewalld isolation
Raw
README.md

For testing, the default DMZ zone was used as a basis for testing

# Set DMZ interface to eth0
firewall-cmd --zone=dmz --change-interface=eth0 --permanent
firewall-cmd --reload

Assumptions:

  • localhost isn't restricted
  • subnet all members belong to is 10.162.0.0/20 (this CIDR needs to be substitued for the one running the cluster)
  • This doesn't consider any software deployed ontop of gravity, only the gravity platform itself
  • Default overlay network range is in use (10.244.0.0/16) which can be changed by install flag

Configuration that applies to all nodes:

# VXLAN Overlay Network
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=8472 protocol=udp accept' --permanent

# Serf (cluster membership for health checks)
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=7496 protocol=udp accept' --permanent
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=7496 protocol=tcp accept' --permanent

# gRPC API for health checks
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=7575 protocol=tcp accept' --permanent

# Kubernetes internal API (between kubernetes processes)
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=10248-10250 protocol=tcp accept' --permanent
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=10255 protocol=tcp accept' --permanent

# Teleport
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=3022-3025 protocol=tcp accept' --permanent

# Gravity Internal Services
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=3008-3012 protocol=tcp accept' --permanent
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=6060-6060 protocol=tcp accept' --permanent

# Gravity Controller API
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=32009 protocol=tcp accept' --permanent

# Pods to host (overlay network)
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.244.0.0/16" accept' --permanent

# Re-order forwarding rules to allow forwarding of overlay network
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -s 10.244.0.0/16 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -d 10.244.0.0/16 -j ACCEPT

# Block overlay network destinations on external interfaces (should only exist on virtual interfaces within the cluster)
# Note: This rule has the side effect of blocking NodePorts, so any nodeports that need to operate external to the cluster need an INPUT_direct rule to allow access
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" destination address="10.244.0.0/16" reject' --permanent

Additional rules needed on controllers only:

# ETCD
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=2379-2380 protocol=tcp accept' --permanent
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=4001 protocol=tcp accept' --permanent
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=7001 protocol=tcp accept' --permanent

# Kubernetes API
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=6443 protocol=tcp accept' --permanent

# Docker Registry
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=5000 protocol=tcp accept' --permanent

Instruct firewalld to load the new rules:

firewall-cmd --reload

Additional install time rules on all nodes (Note: these are not added as permanent rules)

firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=61008-21010 protocol=tcp accept'
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=61022-61024 protocol=tcp accept'
firewall-cmd --zone=dmz --add-rich-rule='rule family="ipv4" source address="10.162.0.0/20" port port=4242 protocol=tcp accept'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment