From 93e7c0e8952fcd536e15d2390fe1fd5eee9caca3 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Wed, 29 May 2024 10:40:00 +0200 Subject: [PATCH] daemon: firewall pods This introduces a new tc rule that blocks traffic from outside the cluster targeting pod IPs directly. It requires an adjustment of the BPF filter priority to above 32, which is expected to be set by the Constellation Helm installer. --- .../templates/cilium-agent/daemonset.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml index 2949091a8877f..ffd5935ba1c1a 100644 --- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml +++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml @@ -756,6 +756,37 @@ spec: - name: cni-path mountPath: /host/opt/cni/bin {{- end }} # .Values.cni.install + - name: firewall-pods + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -exc + - | + pref=32 + interface=$(ip route | awk '/^default/ { print $5 }') + tc qdisc add dev "${interface}" clsact || true + tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true + handle=0 + for cidr in ${POD_CIDRS}; do + handle=$((handle + 1)) + tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop + done + env: + - name: POD_CIDRS + valueFrom: + configMapKeyRef: + key: encryption-strict-mode-pod-cidrs + name: cilium-config + optional: true + resources: + requests: + cpu: 100m + memory: 20Mi + securityContext: + capabilities: + add: + - NET_ADMIN restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}