Cloudpods’ services run on top of a Kubernetes cluster that uses Calico for its network solution. So the iptables rules for nodes running the Cloudpods service are taken over by Calico. This causes the firewall rules that we configured on the Cloudpods service node to be overwritten by the Iptables rules that Calico configured, making the firewall rules invalid. This article describes how to use Calico’s HostEndpoint and GlobalNetworkPolicy to set firewall rules for host nodes.
1. Prepare the Calicoctl tool
Download binary
The curl https://github.com/projectcalico/calicoctl/releases/download/v3.12.1/calicoctl - O - L calicoctl chmod + xCopy the codeSetting environment Variables
export DATASTORE_TYPE=kubernetes
export KUBECONFIG=/etc/kubernetes/admin.conf
Copy the code2. Configure HostEndpoint rules
Define HostEndpoint rules for each firewall rule interface to be controlled on each host
- apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: <node_name>-<interface_name>
labels:
role: master
env: production
spec:
interfaceName: <interface_name>
node: <node_name>
expectedIPs: ["<interface_ip>"]
- apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: <node_name>-<interface_name>
labels:
role: master
env: production
spec:
interfaceName: <interface_name>
node: <node_name>
expectedIPs: ["<interface_ip>"]
Copy the codeApply this rule:
./calicoctl apply -f hep.yaml
Copy the code3. Define network rules
After defining HostEndpoint, Calico’s GlobalNetworkPolicy is used to define firewall rules.
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: <whitelist_gnp_name>
spec:
order: 10
preDNAT: true
applyOnForward: true
ingress:
- action: Allow
protocol: TCP
source:
nets: [<src_net_block1>, <src_net_block2>]
destination:
ports: [<dst_port1>, <dst_port2>]
selector: "role=="master""
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: drop-other-ingress
spec:
order: 20
preDNAT: true
applyOnForward: true
ingress:
- action: Deny
selector: "role=="master""
Copy the codeApplication of the rules
./calicoctl apply -f gnp.yaml
Copy the code4. The failSafe mechanism
Calico designs the failSafe mechanism to prevent the network access failure caused by incorrect configuration of nodes. In this way, some ports will not be blocked even if users write incorrect rules, resulting in node failure. This is a FailSafe port information: docs.projectcalico.org/reference/h…
5. Configuration examples
For example, only ports 80 and 443 are allowed on the master node.
HostEndpoint definition:
- apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: master1-em4 labels: role: master type: External Spec: interfaceName: EM4 node: Master1 expectedIPs: ["120.133.60.219"] - apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: master2-em4 labels: role: master type: external spec: InterfaceName: EM4 node: Master2 expectedIPs: ["120.133.60.220"] - apiVersion: projectcalico.org/v3 kind: HostEndpoint metadata: name: master3-em4 labels: role: master type: external spec: interfaceName: em4 node: Master3 expectedIPs: [" 120.133.60.221 "]Copy the codeGlobalNetworkPolicy definition
- apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: allow-http-https-traffic-only spec: order: 10 preDNAT: true applyOnForward: true ingress: -action: Allow protocol: TCP destination: ports: [80,443] selector: "role=="master" && type=="external"" - apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: drop-other-ingress spec: order: 20 preDNAT: true applyOnForward: true ingress: - action: DenyCopy the code