The linode-firewall-controller extends support for Linode Cloud Firewalls to LKE.
As an alpha API, the resources are subject to breaking changes in the future.
TODO: Reduce volume of reconciliation events by filtering out updates to Node Status
TODO: Add support for IPIP traffic required for the calico overlay network. This is currently supported in the Linode API, but linodego support has not yet been added.
linode-firewall-controller is designed to run within an LKE cluster to extend support for Linode Cloud Firewalls. It implements a controller for a new CRD, ClusterwideNetworkPolicy, which allows a user to specify a set of egress and ingress rules to be applied to all cluster nodes at layer3/4 (IPIP support coming soon). For each ClusterwideNetworkPolicy, a Linode Cloud Firewall is provisioned and configured to the specifications. When Kuberenetes Nodes are created or deleted, the Firewall is automatically updated.
You’ll need an LKE cluster to run against. An LKE cluster can be deployed via the Linode Cloud Manager[cloud.linode.com], APIv4[developers.linode.com], or the Linode CLI[https://www.linode.com/docs/products/tools/cli/get-started/]
- Install the ClusterwideNetworkPolicy Custom Resource Definition and linode-firewall-controller:
kubectl apply -k config/crd
kubectl apply -k config/manager
kubectl apply -k config/rbac- Deploy a ClusterwideNetworkPolicy resource Create a new ClusterwideNetworkPolicy, or use the provided sample manifest to get started:
kubectl apply -f config/samplesExample ClusterwideNetworkPolicy:
apiVersion: networking.linode.com/v1alpha1
kind: ClusterwideNetworkPolicy
metadata:
labels:
name: clusterwidenetworkpolicy-base
spec:
# The list of rules defined in this example are required to support normal LKE cluster functionality
ingress:
# allow web traffic from 172.0.0.0/12
- from:
- cidr: 192.168.128.0/17
ports:
# Kubelet health checks
- protocol: TCP
port: 10250
# Calico BGP
- protocol: TCP
port: 179
# wireguard tunneling for for kubectl proxy
- protocol: UDP
port: 51820
- from:
ports:
# allow NodePorts services
- protocol: TCP
port: 30000
endPort: 32767
- protocol: UDP
port: 30000
endPort: 32767- Install the CRDs into the cluster:
make install- Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
make runOr via Kubernetes Manifests:
- Build and push your image to the location specified by
IMG:
make docker-build docker-push IMG=<some-registry>/linode-firewall-controller:tag- Deploy the controller to the cluster with the image specified by
IMG:
make deploy IMG=<some-registry>/linode-firewall-controller:tagTo delete the CRDs from the cluster:
make uninstallUnDeploy the controller to the cluster:
make undeployIf you are editing the API definitions, generate the manifests such as CRs or CRDs using:
make manifestsNOTE: Run make --help for more information on all potential make targets
More information can be found via the Kubebuilder Documentation
Copyright 2022.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.