Skip to content

Commit

Permalink
feat: default security policy for mgmt/worker/witness nodes
Browse files Browse the repository at this point in the history
Put particular ports in whitelist per different role to
allow particular traffic to pass through.

Link: harvester/harvester#5681

Signed-off-by: Chris Chiu <[email protected]>
  • Loading branch information
mschiu77 committed May 30, 2024
1 parent d6e0a6b commit e6f9828
Show file tree
Hide file tree
Showing 5 changed files with 48 additions and 8 deletions.
2 changes: 1 addition & 1 deletion pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -414,7 +414,7 @@ func GenerateRancherdConfig(config *HarvesterConfig) (*yipSchema.YipConfig, erro
return nil, err
}

if _, err := UpdateManagementInterfaceConfig(&runtimeConfig, config.ManagementInterface, true); err != nil {
if _, err := UpdateManagementInterfaceConfig(&runtimeConfig, config.ManagementInterface, true, config.Role); err != nil {
return nil, err
}

Expand Down
14 changes: 9 additions & 5 deletions pkg/config/cos.go
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ func ConvertToCOS(config *HarvesterConfig) (*yipSchema.YipConfig, error) {
return nil, err
}

_, err = UpdateManagementInterfaceConfig(&initramfs, cfg.ManagementInterface, false)
_, err = UpdateManagementInterfaceConfig(&initramfs, cfg.ManagementInterface, false, config.Role)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -475,7 +475,7 @@ func SaveOriginalNetworkConfig() error {
// - generates wicked interface files (`/etc/sysconfig/network/ifcfg-*` and `ifroute-*`)
// - manipulates nameservers in `/etc/resolv.conf`.
// - call `wicked ifreload all` if `run` flag is true.
func UpdateManagementInterfaceConfig(stage *yipSchema.Stage, mgmtInterface Network, run bool) (string, error) {
func UpdateManagementInterfaceConfig(stage *yipSchema.Stage, mgmtInterface Network, run bool, role string) (string, error) {
if len(mgmtInterface.Interfaces) == 0 {
return "", errors.New("no slave defined for management network bond")
}
Expand All @@ -498,7 +498,7 @@ func UpdateManagementInterfaceConfig(stage *yipSchema.Stage, mgmtInterface Netwo
}
}

if err := updateBridge(stage, MgmtInterfaceName, &mgmtInterface); err != nil {
if err := updateBridge(stage, MgmtInterfaceName, &mgmtInterface, role); err != nil {
return "", err
}

Expand Down Expand Up @@ -594,7 +594,7 @@ func updateBond(stage *yipSchema.Stage, name string, network *Network) error {
return nil
}

func updateBridge(stage *yipSchema.Stage, name string, mgmtNetwork *Network) error {
func updateBridge(stage *yipSchema.Stage, name string, mgmtNetwork *Network, role string) error {
// add Bridge named MgmtInterfaceName and attach Bond named MgmtBondInterfaceName to bridge

needVlanInterface := false
Expand All @@ -611,7 +611,11 @@ func updateBridge(stage *yipSchema.Stage, name string, mgmtNetwork *Network) err
Group: 0,
})

preUpScript, err := render("wicked-setup-bridge.sh", MgmtBondInterfaceName)
roleData := map[string]interface{}{
"Role": role,
"Bond": MgmtBondInterfaceName,
}
preUpScript, err := render("wicked-setup-bridge.sh", roleData)
if err != nil {
return err
}
Expand Down
27 changes: 26 additions & 1 deletion pkg/config/templates/wicked-setup-bridge.sh
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,31 @@ case $ACTION in
post-up)
# accept all vlan, PVID=1 by default
bridge vlan add vid 2-4094 dev $INTERFACE self
bridge vlan add vid 2-4094 dev {{ . }}
bridge vlan add vid 2-4094 dev {{ .Bond }}

{{ if ne .Role "" -}}
iptables -P INPUT DROP

iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 8472 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 6443:6444 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 10248:10250 -j ACCEPT
iptables -A INPUT -p tcp --dport 10010 -j ACCEPT
iptables -A INPUT -p tcp --dport 9091 -j ACCEPT
iptables -A INPUT -p tcp --dport 9099 -j ACCEPT
{{ if or (eq .Role "default") (eq .Role "management") -}}
iptables -A INPUT -p tcp --dport 9345 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 10256:10260 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 2379:2382 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 2399:2402 -j ACCEPT

iptables -A INPUT -p tcp --dport 2112 -j ACCEPT
{{ else -}}
iptables -A INPUT -p tcp --dport 10256 -j ACCEPT
{{ end -}}
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
{{ end -}}
;;
esac
11 changes: 11 additions & 0 deletions pkg/console/dashboard_panels.go
Original file line number Diff line number Diff line change
Expand Up @@ -515,6 +515,16 @@ func nodeIsPresent() bool {
return true
}

func removeTempEtcdPorts() {
command := fmt.Sprint(`iptables -D INPUT -p tcp -m multiport --dports 2399:2402 -j ACCEPT`)
cmd := exec.Command("/bin/sh", "-c", command)
cmd.Env = os.Environ()
output, err := cmd.CombinedOutput()
if err != nil {
logrus.Error(err, string(output))
}
}

func getHarvesterStatus() string {
if current.firstHost && !current.installed {
if !k8sIsReady() || !chartIsInstalled() {
Expand All @@ -532,6 +542,7 @@ func getHarvesterStatus() string {
rancherReady := isPodReady("cattle-system", "app=rancher")
harvesterAPIReady := isAPIReady(current.managementURL, "/version")
if harvesterReady && harvesterWebhookReady && rancherReady && harvesterAPIReady {
removeTempEtcdPorts()
return wrapColor(statusReady, colorGreen)
}
return wrapColor(statusNotReady, colorYellow)
Expand Down
2 changes: 1 addition & 1 deletion pkg/console/network.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ func applyNetworks(network config.Network, hostname string) ([]byte, error) {
},
},
}
_, err = config.UpdateManagementInterfaceConfig(&conf.Stages["live"][1], network, true)
_, err = config.UpdateManagementInterfaceConfig(&conf.Stages["live"][1], network, true, "")
if err != nil {
return nil, err
}
Expand Down

0 comments on commit e6f9828

Please sign in to comment.