search

syself / cluster-api-provider-hetzner

Cluster API Provider Hetzner 🚀 Kubernetes Infrastructure as Software 🔧 Terraform/Kubespray/kOps alternative for running Kubernetes on Hetzner
https://caph.syself.com
Apache License 2.0
540 stars 51 forks source link

How to enable basic Firewall settings for K8s Cluster, which was created using CAPI? #1307

Closed BigBrather closed 1 month ago

BigBrather commented 1 month ago

/kind bug

What steps did you take and what happened:

I tried to manually create FIrewall rules and attach them to K8s Cluster, but after adding my Firewall K8s Cluster it stops working correctly.

My configuration looked like this:

resource "hcloud_firewall" "firewall_access_k8s_cluster" {
  name = "firewall-access-k8s-cluster"
  rule {
    description = "Allow Incoming Requests ICMP - Ping"
    direction = "in"
    protocol  = "icmp"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow Incoming Requests UDP - DNS"
    direction = "in"
    protocol  = "udp"
    port      = "53"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow Incoming Requests TCP - DNS"
    direction = "in"
    protocol  = "tcp"
    port      = "53"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow Incoming Traffic UDP - K8s Cluster Basic"
    direction = "in"
    protocol  = "udp"
    port      = "30000-32767"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow Incoming Traffic TCP - K8s Cluster Basic"
    direction = "in"
    protocol  = "tcp"
    port      = "30000-32767"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow Incoming Requests to Hubble Server & Hubble Relay - Cilium"
    direction = "in"
    protocol  = "tcp"
    port      = "4244-4245"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow Incoming Requests to Hubble Server & Hubble Relay - Cilium"
    direction = "in"
    protocol  = "tcp"
    port      = "8472"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow Internal Traffic UDP - K8s Cluster Special"
    direction = "in"
    protocol  = "udp"
    port      = "1-65535"
    source_ips = [
      "10.0.0.0/8",
      "127.0.0.1/32",
      "172.16.0.0/12",
      "192.168.0.0/16"
    ]
  }
  rule {
    description = "Allow Internal Traffic TCP - K8s Cluster Special"
    direction = "in"
    protocol  = "tcp"
    port      = "1-65535"
    source_ips = [
      "10.0.0.0/8",
      "127.0.0.1/32",
      "172.16.0.0/12",
      "192.168.0.0/16"
    ]
  }
  rule {
    description = "Allow Incoming Requests TCP - Kube API Server"
    direction = "in"
    protocol  = "tcp"
    port      = "6443"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
}

resource "hcloud_firewall_attachment" "fw_acs_k8s_cluster" {
    firewall_id     = hcloud_firewall.firewall_access_k8s_cluster.id
    label_selectors = ["caph-cluster-hz-k8s-capi-fsn1-cw-sandbox=owned"]
}

After which this Firewall was attached to my K8s Cluster, which was created using CAPI.

What did you expect to happen:

Ultimately I expected to have my K8s cluster locked behind a firewall and be able to add additional firewall settings there as needed.

Anything else you would like to add:

I can only add that when my K8s Cluster is open, I can be subject to DDoS attacks from outside.

Environment:

batistein commented 1 month ago

please see my comment here: https://github.com/syself/cluster-api-provider-hetzner/issues/1309#issuecomment-2110781708

BigBrather commented 1 month ago

@batistein Yes, I saw your answer in this article. Thank you!

batistein commented 1 month ago

ok then i will close this issue. If you have any other issues feel free to open a new issue