search

metal-stack / firewall-controller

A kubernetes controller running on bare-metal firewalls, creating nftables rules, configures suricata, collects network metrics
MIT License
47 stars 4 forks source link

First draft of forbidden mode for isolated clusters #172

Closed majst01 closed 8 months ago

majst01 commented 10 months ago

Related to: https://github.com/fi-ts/proxy-services/issues/4

Todos:

majst01 commented 9 months ago 

rewall monitor successfully updated, requeuing in 10s","name":"shoot--pcfgbt--forbidden-firewall-ad19e","namespace":"firewall"}                                                                                                               
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: {"level":"info","timestamp":"2024-01-15T13:57:08+01:00","caller":"controller/controller.go:118","msg":"Observed a panic in reconciler: runtime error: invalid memory address
 or nil pointer dereference","controller":"clusterwidenetworkpolicy","controllerGroup":"metal-stack.io","controllerKind":"ClusterwideNetworkPolicy","ClusterwideNetworkPolicy":{"name":"allow-to-forbidden","namespace":"firewall"},"namespace
":"firewall","name":"allow-to-forbidden","reconcileID":"2af9ae73-266a-4a63-a55d-cf8a1b0f6b49"}                                                                                                                                                
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: panic: runtime error: invalid memory address or nil pointer dereference [recovered]                                                                                         
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         panic: runtime error: invalid memory address or nil pointer dereference                                                                                             
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x168b6cd]                                                                                                    
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: goroutine 774 [running]:                                                                                                                                                    
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile.func1()                                                                                      
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/controller-runtime@v0.14.6/pkg/internal/controller/controller.go:119 +0x1e5                                                                             
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: panic({0x1810a20?, 0x29dc300?})                                                                                                                                             
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         runtime/panic.go:914 +0x21f                                                                                                                                         
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: github.com/metal-stack/firewall-controller/v2/controllers.(*ClusterwideNetworkPolicyReconciler).validateCWNPEgressTargetPrefix(_, {{{0x16e22be, 0x18}, {0xc0007eb248, 0x11}}
, {{0xc0007eb1b8, 0x12}, {0x0, 0x0}, {0xc000d165b8, ...}, ...}, ...}, ...)                                                                                                                                                                    
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         github.com/metal-stack/firewall-controller/v2/controllers/clusterwidenetworkpolicy_controller.go:283 +0x30d                                                         Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: github.com/metal-stack/firewall-controller/v2/controllers.(*ClusterwideNetworkPolicyReconciler).allowedCWNPsOrDelete(0xc000281c00, {0x1cee5e8, 0xc000c8ed50}, {0xc00110aa80?
, 0x7, 0xc0011fe000?}, {0xc000d851a0?, 0x53d75a?}, {{0xc000e0e040, 0x1, ...}, ...})                                                                                                                                                           
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         github.com/metal-stack/firewall-controller/v2/controllers/clusterwidenetworkpolicy_controller.go:222 +0x24e                                                         Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: github.com/metal-stack/firewall-controller/v2/controllers.(*ClusterwideNetworkPolicyReconciler).Reconcile(0xc000281c00, {0x1cee5e8, 0xc000c8ed50}, {{{0xc000c8ed50?, 0x0?}, 
{0xc000bc5d20?, 0x4105a5?}}})                                                                                                                                                                                                                 
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         github.com/metal-stack/firewall-controller/v2/controllers/clusterwidenetworkpolicy_controller.go:101 +0x345                                                         Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0x1cee5e8?, {0x1cee5e8?, 0xc000c8ed50?}, {{{0xc000d165b8?, 0x1756560?}, {0xc0007eb1b8?, 0x1ce
0108?}}})                                                                                                                                                                                                                                     
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/controller-runtime@v0.14.6/pkg/internal/controller/controller.go:122 +0xb7                                                             
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc000621360, {0x1cee620, 0xc0005730e0}, {0x1898200?, 0xc000a9f3c0?})
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/controller-runtime@v0.14.6/pkg/internal/controller/controller.go:323 +0x368                                  
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc000621360, {0x1cee620, 0xc0005730e0})
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/controller-runtime@v0.14.6/pkg/internal/controller/controller.go:274 +0x1c9             
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()                        
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/controller-runtime@v0.14.6/pkg/internal/controller/controller.go:235 +0x79              
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 in goroutine 643
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/controller-runtime@v0.14.6/pkg/internal/controller/controller.go:231 +0x565
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e systemd[1]: firewall-controller.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e systemd[1]: firewall-controller.service: Failed with result 'exit-code'.
majst01 commented 9 months ago

Error is weird:

3s          Warning   ForbiddenCIDR          service/nginx-gardener   the specified of "nginx-gardener" to address:"212.34.83.6/32" is outside of the allowed network range:"100.64.0.0/10", ignoring