Last active
April 5, 2024 01:17
-
-
Save williamcaban/ecfb9a36dbb9e7e4a2a98ff5d1df830a to your computer and use it in GitHub Desktop.
Example of limiting the access to OpenShift control-plane, Kube API and SSH to control plane nodes using the Ingress Node Firewall Operator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: ingressnodefirewall.openshift.io/v1alpha1 | |
kind: IngressNodeFirewallConfig | |
metadata: | |
name: ingressnodefirewallconfig | |
namespace: openshift-ingress-node-firewall | |
spec: | |
nodeSelector: | |
node-role.kubernetes.io/control-plane: "" | |
--- | |
# allow full access from jump host and cluster itself | |
apiVersion: ingressnodefirewall.openshift.io/v1alpha1 | |
kind: IngressNodeFirewall | |
metadata: | |
name: api-access-from-jumphost | |
spec: | |
interfaces: | |
- br-ex | |
nodeSelector: | |
matchLabels: | |
node-role.kubernetes.io/control-plane: "" | |
ingress: | |
- sourceCIDRs: | |
- 192.168.1.130/32 # IP or network of jumphost | |
- 169.254.0.0/16 # link-local network (special use) | |
- 172.30.0.0/16 # services network | |
- 10.128.0.0/14 # cluster network | |
- 192.168.1.30/32 # (control plane node 1) | |
- 192.168.1.31/32 # (control plane node 2) | |
- 192.168.1.32/32 # (control plane node 3) | |
rules: | |
- action: Allow | |
order: 10 | |
# allow access ONLY to the ingress for anyone else | |
- sourceCIDRs: | |
- 0.0.0.0/0 | |
rules: | |
- action: Allow | |
order: 20 | |
protocolConfig: # allow http access to ingress | |
protocol: TCP | |
tcp: | |
ports: 80 | |
- action: Allow | |
order: 30 # allow https access to ingress | |
protocolConfig: | |
protocol: TCP | |
tcp: | |
ports: 443 | |
- action: Deny | |
order: 40 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment