-
Feature Request
-
Resolution: Unresolved
-
Normal
-
None
-
openshift-4.19
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
-
None
1. Proposed title of this feature request
Ingress Node Firewall add destinationCIDRs capability
2. What is the nature and description of the request?
Modify the '.spec.ingress' within IngressNodeFirewall CR to add destinationCIDRs that allows you to create rules based on the destination IP/CIDR (not just sourceCIDRs)
3. Why does the customer need this? (List the business requirements here)
For security reasons, customer might want to block all external external traffic from reaching 'br-ex' on port TCP/111 but allow the Openshift related networks through (clusterNetwork, machineNetwork, serviceNetwork) so they might create this rule
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: IngressNodeFirewall
metadata:
name: ingressnodefirewall
spec:
interfaces:
- br-ex
nodeSelector:
matchLabels:
kubernetes.io/hostname: worker-3
ingress:
- sourceCIDRs:
- 10.128.0.0/14 ### Allow clusterNetwork
- 172.30.0.0/16 ### Allow serviceNetwork
- 10.1.164.0/24 ### Allow machineNetwork
rules:
- order: 10
protocolConfig:
protocol: TCP
tcp:
ports: "111"
action: Allow
- sourceCIDRs:
- 0.0.0.0/0 ### Block All CIDRs
rules:
- order: 10
protocolConfig:
protocol: TCP
tcp:
ports: "111"
action: Deny
However, if they're using MetalLB with it's own IPPool and create an Openshift Service that should be reachable on TCP/111 and that MetalLB IP lives on 'br-ex' as well, they're now effectively blocked because of this.
We are proposing a 'destinationCIDRs' which might look like this
- destinationCIDRs:
- 10.1.164.222/32 ### Custom IP used for MetalLB
rules:
- order: 10
protocolConfig:
protocol: TCP
tcp:
ports: "111"
action: Allow
So the full config might look like this
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: IngressNodeFirewall
metadata:
name: ingressnodefirewall
spec:
interfaces:
- br-ex
nodeSelector:
matchLabels:
kubernetes.io/hostname: worker-3
ingress:
- destinationCIDRs:
- 10.1.164.222/32 ### Custom IP used for MetalLB
rules:
- order: 10
protocolConfig:
protocol: TCP
tcp:
ports: "111"
action: Allow
- sourceCIDRs:
- 10.128.0.0/14 ### Allow clusterNetwork
- 172.30.0.0/16 ### Allow serviceNetwork
- 10.1.164.0/24 ### Allow machineNetwork
rules:
- order: 10
protocolConfig:
protocol: TCP
tcp:
ports: "111"
action: Allow
- sourceCIDRs:
- 0.0.0.0/0 ### Block All CIDRs
rules:
- order: 10
protocolConfig:
protocol: TCP
tcp:
ports: "111"
action: Deny
This would effectively allow clusterNetwork, machineNetwork, serviceNetwork to reach TCP/111 on 'br-ex'. This would allow external connections (external from the cluster) to reach the MetalLB IP '10.1.164.222/32' that also lives on 'br-ex' at TCP/111 but block ALL connections otherwise trying to reach 'br-ex' on TCP/111
4. List any affected packages or components.
Ingress Node Firewall Operator
