-
-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Ingress Firewall (extra configs) #284
Comments
Thanks for the feature request! I'm not sure how to support this in a nice way. Do you have any idea on how this should be implemented? Should they be in the same yaml file as the machine config? How should the talconfig.yaml file looks like? |
My imagination is to have per node configuration like this: nodes:
- firewallSpec:
ingress:
defaultAction: block
rules:
- name: kubelet-ingress
portSelector:
ports:
- 10250
protocol: tcp
ingress:
- subnet: 172.20.0.0/24
except: 172.20.0.1/32 And that will create a file inside apiVersion: v1alpha1
kind: NetworkDefaultActionConfig
ingress: block
---
apiVersion: v1alpha1
kind: NetworkRuleConfig
name: kubelet-ingress
portSelector:
ports:
- 10250
protocol: tcp
ingress:
- subnet: 172.20.0.0/24
except: 172.20.0.1/32 Is this the desired implementation? |
Maybe add it as an attribute to existing node config: nodes:
- hostname: master
controlPlane: true
...
firewall: And render to multi-document YAML with a |
@vladimirfx should the process of applying the file using |
Turns out applying the config using |
Hello. apiVersion: v1alpha1
kind: NetworkDefaultActionConfig
ingress: block
---
apiVersion: v1alpha1
kind: NetworkRuleConfig
name: kubelet-ingress
portSelector:
ports:
- 10250
protocol: tcp
ingress:
- subnet: 172.20.0.0/24
except: 172.20.0.1/32
---
version: v1alpha1
machine:
...
cluster:
... In addition to the firewall section, maybe also add a separate section for extra manifests (perhaps this method applies not only firewall settings) in the node settings and include files according to the node machine configuration, for example nodes:
- hostname: master
controlPlane: true
...
extraManifests:
- firewall-cp.yaml
- hostname: worker
controlPlane: false
...
extraManifests:
- firewall-work.yaml |
@aivanov-citc Thanks! Ah they must be in one file, making it makes more sense for |
I have just created the PR that will close this issue, do you think this is good enough? @aivanov-citc For the |
I feel like, instead of:
Is it better if it's just:
Not sure which one is better, I want to prepare for when Talos decided to add egress in the future.
|
Looks good to me. I bet for |
|
@aivanov-citc Thanks! Makes sense if that's the direction they're heading. I'll create another issue and maybe I'll work on it later. |
I just created another PR (#298) so that this feature can be put inside |
Please add support for extra document machine config.
https://www.talos.dev/v1.6/talos-guides/network/ingress-firewall/
The text was updated successfully, but these errors were encountered: