Paul Bastide

OpenShift… if you need a firewall

Written by

Paul Bastide

in

,

If your security posture requires a firewall, you can add it to your OpenShift cluster using the following:

  1. Create a butane configuration
cat << EOF > 98-nftables-worker.bu
variant: openshift
version: 4.16.0
metadata:
  name: 98-nftables-worker
  labels:
    machineconfiguration.openshift.io/role: worker
systemd:
  units:
    - name: "nftables.service"
      enabled: true
      contents: |
        [Unit]
        Description=Netfilter Tables
        Documentation=man:nft(8)
        Wants=network-pre.target
        Before=network-pre.target
        [Service]
        Type=oneshot
        ProtectSystem=full
        ProtectHome=true
        ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
        ExecReload=/sbin/nft -f /etc/sysconfig/nftables.conf
        ExecStop=/sbin/nft 'add table inet custom_table; delete table inet custom_table'
        RemainAfterExit=yes
        [Install]
        WantedBy=multi-user.target
storage:
  files:
  - path: /etc/sysconfig/nftables.conf
    mode: 0600
    overwrite: true
    contents:
      inline: |
        table inet custom_table
        delete table inet custom_table
        table inet custom_table {
            chain input {
                type filter hook input priority 0; policy accept;
                ip saddr 1.1.1.1/24 drop
            }
        }
EOF
  1. Download butane
curl -o butane https://github.com/coreos/butane/releases/download/v0.23.0/butane-ppc64le-unknown-linux-gnu -L
  1. Execute the butane

chmod +x butane; ./butane 98-nftables-worker.bu -o 98-nftables-worker.yaml

  1. Run the nftables-worker.yaml butane
oc apply -f 98-nftables-worker.yaml

You can verify the workers drop the traffic.

Reference

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts