From d9b6c2a1a27334027abfcc0210e6a1a6a10e72dd Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Wed, 29 May 2024 10:40:00 +0200 Subject: [PATCH] daemon: firewall pods This introduces a new tc rule that blocks traffic from outside the cluster targeting pod IPs directly. It requires an adjustment of the BPF filter priority to above 32, which is expected to be set by the Constellation Helm installer. --- .../templates/cilium-agent/daemonset.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml index f6b493cb7afdc..d63395f8a19f0 100644 --- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml +++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml @@ -715,6 +715,37 @@ spec: - name: cni-path mountPath: /host/opt/cni/bin {{- end }} # .Values.cni.install + - name: firewall-pods + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -exc + - | + pref=32 + interface=$(ip route | awk '/^default/ { print $5 }') + tc qdisc add dev "${interface}" clsact || true + tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true + handle=0 + for cidr in ${POD_CIDRS}; do + handle=$((handle + 1)) + tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop + done + env: + - name: POD_CIDRS + valueFrom: + configMapKeyRef: + key: encryption-strict-mode-pod-cidrs + name: cilium-config + optional: true + resources: + requests: + cpu: 100m + memory: 20Mi + securityContext: + capabilities: + add: + - NET_ADMIN restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}