pogdin
commented
3 years ago Hi, thanks for submitting an issue. Let me try to address each item.
The Splunk Docker container comes with several ports open by default so we have to account for that as we convert it into a role.
outputs.conf on the HWF - For this scenario, I would use clusterMasterRef as it will use Indexer Discovery to send data out. Follow the example here for HWF that disables searching of the indexers by the standalone. This is clearly a stopgap until we have an HWF CRD.
inputs.conf on HWF + SHC - For the HWF scenario, you can do this with an App or via the generic conf file method. A lot of use cases may require 9997 (or others) open on the HWF tier for intermediary forwarding. The SHC having 9997 open, totally agree. I've filed a story for us to close this by default but the service does not expose this.
web.conf on HWF and Indexer Cluster members - This should be optional on the HWF as some Apps you may want to configure with SplunkWeb (then maybe disable later). I was doing it this week with Splunk Add-on for AWS and there may be other filtering UI's coming on the HWF in the future. Indexer Cluster members, totally agree. I've had a story to do this in our backlog. Here's how you would do it with config file generator in pod definition yaml:
apiVersion: enterprise.splunk.com/v2
kind: Standalone
metadata:
name: hwf-example
finalizers:
- enterprise.splunk.com/delete-pvc
spec:
clusterMasterRef:
name: cm-example
licenseMasterRef:
name: lm-example
defaults: |-
splunk:
set_search_peers: false
conf:
- key: web
value:
directory: /opt/splunk/etc/system/local
content:
settings:
startwebserver : 0inputs.conf on indexer cluster to disable HEC input - this is another one where you want the option to have open. Some people send HEC direct to indexers via ingress service load balancer. Others use your method with HWF. Also should be controllable via App or Ansible defaults.
You're other question about removing the port from the service once deployed, I'll have to investigate further.
vivekr-splunk
I set up a splunk environment with the following components:
I installed apps on them to configure them and enable/disable certain features (because they were still or not yet set this way by default):
Everything works so far: sending data to the HEC of the heavy forwarder (standalone) which gets forwarded and indexed on the indexer cluster and is searchable on the search head cluster.
However, then I wanted to configure the Kubernetes part to only allow what I want. This is how it is set up by default after installing all CRs with default settings for services:
A lot of ports that I don't want to have open:
I tried with the ServiceTemplate as explained in the CustomResources guide but that only adds services and does not overwrite/disable the old ones.
How can I disable not needed and unwanted open ports so only the ports I want and need for my purposes are open?
Might be connected to https://github.com/splunk/splunk-operator/issues/57 but if I understand correctly, it says there that ports should be closed by default on splunk side which also was not the case for me which is why I had to deploy the aforementioned apps.