Feature Overview (aka. Goal Summary)  

Enhance the existing GA of stateless Node Ingress Firewall with support for stateful connection tracking.
 

Goals (aka. expected user outcomes)

Provide short-to-midterm functionality similar to RHEL firewalld on CoreOS, with the expectation of a longer-term follow-up to provide an API-based solution.

Why is this important?

Telco customers expect networking firewall configurations to protect network access at a node level. They want to control from which interface and remote hosts the kube API server can be accessed.

Requirements for host-level firewalling often come up in RFx from telco customers as well as from NEPs .

Requirements (aka. Acceptance Criteria):

Use Cases (Optional):

Questions to Answer (Optional):

Out of Scope

Background

If all they want to do is block external access to host-network pods and services on the node's IPs, nftables/firewalld will still work with ovn-kubernetes. QE is necessary.

The cleanest solution is a new Custom Resource (eg, API) for host-level firewalling, that an operator eventually transforms into nftables rules or firewalld config for a node. This is orthogonal to network plugins, but they must still promise not to break it since plugins also use nftables/firewalld.

Customer Considerations

Documentation Considerations

• Documentation should be appended to existing stateless documentation. 

Interoperability Considerations