daemon: firewall pods

This introduces a new tc rule that blocks traffic from outside the cluster targeting pod IPs directly. It requires an adjustment of the BPF filter priority to above 32, which is expected to be set by the Constellation Helm installer.
edgelesssys · Jun 5, 2024 · 93e7c0e · 93e7c0e
1 parent 03f2ed5
commit 93e7c0e
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
@@ -756,6 +756,37 @@ spec:
           - name: cni-path
             mountPath: /host/opt/cni/bin
       {{- end }} # .Values.cni.install
+      - name: firewall-pods
+        image: {{ include "cilium.image" .Values.image | quote }}
+        imagePullPolicy: IfNotPresent
+        command:
+        - /bin/bash
+        - -exc
+        - |
+          pref=32
+          interface=$(ip route | awk '/^default/ { print $5 }')
+          tc qdisc add dev "${interface}" clsact || true
+          tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true
+          handle=0
+          for cidr in ${POD_CIDRS}; do
+            handle=$((handle + 1))
+            tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop
+          done
+        env:
+        - name: POD_CIDRS
+          valueFrom:
+            configMapKeyRef:
+              key: encryption-strict-mode-pod-cidrs
+              name: cilium-config
+              optional: true
+        resources:
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
       restartPolicy: Always
       priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
       serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}