williamcaban/api-access-from-jumphost.yaml

## api-access-from-jumphost.yaml
---
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: IngressNodeFirewallConfig
metadata:
  name: ingressnodefirewallconfig
  namespace: openshift-ingress-node-firewall
spec:
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
---
# allow full access from jump host and cluster itself
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: IngressNodeFirewall
metadata:
 name: api-access-from-jumphost
spec:
 interfaces:
 - br-ex
 nodeSelector:
   matchLabels:
    node-role.kubernetes.io/control-plane: ""
 ingress:
  - sourceCIDRs:
    - 192.168.1.130/32  # IP or network of jumphost
    - 169.254.0.0/16    # link-local network (special use)
    - 172.30.0.0/16     # services network
    - 10.128.0.0/14     # cluster network
    - 192.168.1.30/32   # (control plane node 1)
    - 192.168.1.31/32   # (control plane node 2)
    - 192.168.1.32/32   # (control plane node 3)
    rules:
    - action: Allow
      order: 10
  # allow access ONLY to the ingress for anyone else
  - sourceCIDRs:
    - 0.0.0.0/0
    rules:
    - action: Allow
      order: 20
      protocolConfig:   # allow http access to ingress
        protocol: TCP
        tcp:
          ports: 80
    - action: Allow
      order: 30         # allow https access to ingress
      protocolConfig:
        protocol: TCP
        tcp:
          ports: 443
    - action: Deny
      order: 40
	---
	apiVersion: ingressnodefirewall.openshift.io/v1alpha1
	kind: IngressNodeFirewallConfig
	metadata:
	name: ingressnodefirewallconfig
	namespace: openshift-ingress-node-firewall
	spec:
	nodeSelector:
	node-role.kubernetes.io/control-plane: ""
	---
	# allow full access from jump host and cluster itself
	apiVersion: ingressnodefirewall.openshift.io/v1alpha1
	kind: IngressNodeFirewall
	metadata:
	name: api-access-from-jumphost
	spec:
	interfaces:
	- br-ex
	nodeSelector:
	matchLabels:
	node-role.kubernetes.io/control-plane: ""
	ingress:
	- sourceCIDRs:
	- 192.168.1.130/32 # IP or network of jumphost
	- 169.254.0.0/16 # link-local network (special use)
	- 172.30.0.0/16 # services network
	- 10.128.0.0/14 # cluster network
	- 192.168.1.30/32 # (control plane node 1)
	- 192.168.1.31/32 # (control plane node 2)
	- 192.168.1.32/32 # (control plane node 3)
	rules:
	- action: Allow
	order: 10
	# allow access ONLY to the ingress for anyone else
	- sourceCIDRs:
	- 0.0.0.0/0
	rules:
	- action: Allow
	order: 20
	protocolConfig: # allow http access to ingress
	protocol: TCP
	tcp:
	ports: 80
	- action: Allow
	order: 30 # allow https access to ingress
	protocolConfig:
	protocol: TCP
	tcp:
	ports: 443
	- action: Deny
	order: 40